Horizen Migration solidity smart contracts only, no Python Scripts are under scope.

Horizen launched in 2017 and its transformation into a more advanced platform marks a pivotal milestone in our mission to build a trusted and safer digital future for everyone.

Our journey began with a commitment to privacy and has evolved into creating a comprehensive ecosystem where developers can build groundbreaking applications without compromising on security or scalability.

Horizen empowers developers to build secure and privacy-focused applications. Through zero-knowledge technology, we enable both privacy and verifiable trust, ensuring compliance while protecting sensitive information. Choose from multiple proof verifiers to tailor your dApps, enhancing performance and trust across digital ecosystems.

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Temporary freezing of funds

Execute arbitrary system commands

Subdomain takeover with already-connected wallet interaction

Direct theft of user funds

Malicious interactions with an already-connected wallet, such as:
- Modifying transaction arguments or parameters
- Substituting contract addresses
- Submitting malicious transactions

Injecting/modifying the static content on the target application without JavaScript (persistent), such as:
- HTML injection without JavaScript
- Replacing existing text with arbitrary text
- Arbitrary file uploads, etc.

Horizen’s codebase

Horizen’s Documentation

__Reward Calculation for Critical Level Reports__

For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 20000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 15000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

For critical web/apps bugs, reports will be rewarded with 15000, only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds 

All other impacts that would be classified as Critical would be rewarded a flat amount of 10000.  

__Repeatable Attack Limitations__

If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward.

The amount of funds at risk will be calculated with the impact of the first attack being at 100% and then a reduction of 25% from the amount of the first attack for every [300 blocks] the attack needs for subsequent attacks from the first attack, rounded down.


__Reward Calculation for High Level Reports__

High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of 2000 to 15000 with the reward calculated based on 100% of the funds at risk, though capped at the maximum high reward. 

In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward.

Horizen

Codebase

Documentation