Polygon
Polygon is a Layer 2 scaling solution that achieves scale by utilizing sidechains for off-chain computation and a decentralized network of Proof-of-Stake (PoS) validators.
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. The final classification however takes into consideration the likelihood of the impact being achieved based on the table below. When submitting a bug report, select the original assigned impact level, but please be aware that its severity level may be reassigned based on the likelihood according to this table.
| Impact \ Likelihood | Critical | High | Medium | Low | Informational |
|---|---|---|---|---|---|
| Critical | Critical | Critical | High | Medium | Informational |
| High | High | High | High | Medium | Informational |
| Medium | Medium | Medium | Medium | Low | Informational |
| Low | Medium/Low | Medium | Low | Low | Informational |
| None | Informational | Informational | Informational | Informational | Informational |
In addition to Immunefi’s Vulnerability Severity Classification System, Polygon classifies vulnerabilities using the Common Vulnerability Scoring System (CVSS). In case of discrepancy, final determination is done by Polygon.
Impacts to other assets
Hackers are encouraged to submit issues outside of those outlined Impacts and Assets in Scope.
If Whitehats can demonstrate a critical impact of code in production for an asset not in scope, Polygon Labs encourages you to submit your bug report using the “primacy of impact exception” asset as outlined below.
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Temporary freezing of funds for at least 1 week
Theft of user fees
Theft of gas
Denial of service attacks
Unbounded gas consumption
Out of scope
- Broken link hijacking is out of scope
- Loss of funds held by third parties
- Best practice critiques
- Attacks using vulnerable, old or deprecated libraries, that are not exploitable
Smart Contracts and Blockchain/DLT
- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
- Previously known vulnerabilities in Tendermint and or/any other fork of these.
- Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Centralization risks
- Attacks using vulnerable, old or deprecated libraries, that are not exploitable
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
7.0M from 50 paid reports