Illuvium
Welcome to the world of Illuvium. A shattered land of beauty and wonder. Travel the vast and varied landscape hunting dangerous beasts, then capture them to battle in the Arenas or trade via the exchange.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Substantial loss of funds (>=1,000,000 USD) resulting in direct benefit of a malicious party
Complete authentication bypass (ability to fully impersonate another user/player and perform financial actions on their behalf) - except those excluded via the out-of-scope section below
3rd party API key/token leakage that could cause substantial financial loss
Private key / seed / mnemonic leakage that could cause substantial financial loss
Loss of funds that does not result into direct benefit of a malicious party or the benefit to the malicious party is relatively small compared to the financial impact (in terms of cost of effort to address, brand damage as well as damage to treasury funds)
Code/system command execution on a remote system which would undermine all server-side controls
Subdomain takeovers which could lead to financial loss (e.g. initiate / sign transaction from the taken-over domain)
Vertical privilege escalation (e.g. a player performing administrative or internal tasks which could circumvent business logic or server side controls)
Persistent XSS which could result to financial loss
Issues that do not directly result in loss of funds, but may have indirect financial impact (cause brand damage, or result in temporary unavailability of a service/contract, or lead to significant increased gas costs
DoS excluding load-based (D)DoS
NoSQL/SQL injection without financial loss
Out of scope
-
Any assets (including, but not limited to, ERC20, ERC721, ERC1155) accidentally* sent to any of the deployed contracts may get lost.
-
*) Not in a designed way (example: via ERC20 transfer function)
-
Load-based DoS/DDoS
-
Clickjacking attacks without a documented series of clicks that produce a vulnerability
-
Assumed vulnerabilities based upon version numbers only
-
Attacks that require social engineering / phishing
-
Spam (including issues related to SPF/DKIM/DMARC)
-
Detailed errors/stack traces by themselves, unless they can be used to aid finding or exploiting subsequent issues in scope.
-
Vulnerabilities that require access to passwords, tokens, or the local system
-
Attacks bypassing functions of AWS Cognito, such as authentication
-
Best practice critiques
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers