Ēnosys Bridge Bug Bounty Program

Smart contracts

Critical

Any governance voting result manipulationDirect theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldPermanent freezing of fundsProtocol insolvencyFee payment bypass

High

Theft of unclaimed validator or protocol feesPermanent freezing of unclaimed validator or protocol feesTemporary freezing of funds (for >24 hours)

Medium

Smart contract unable to operate due to lack of token funds (for >3 minutes)Block stuffing for profitGriefing (e.g., no profit motive for an attacker, but damage to the users or the protocol)Theft of gasUnbounded gas consumption

Low

Contract fails to deliver promised returns, but doesn’t lose value

Frontend

Critical

Retrieve sensitive data/files from a running server (this does not include non-sensitive environment variables, open source code, or usernames) such as blockchain keysTaking down the application/websiteTaking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that userSubdomain takeover with already-connected wallet interactionDirect theft of user funds

Malicious interactions with an already-connected wallet such as:

Modifying transaction arguments or parametersSubstituting contract addressesSubmitting malicious transactions

High

Injecting/modifying the static content on the target application without JavaScript (Persistent) such as:

HTML injection without JavaScriptReplacing existing text with arbitrary text.

Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as:

Email or password of the victim, etc.

Improperly disclosing confidential user information such as:

Email addressPhone numberPhysical address, etc.

Subdomain takeover without already-connected wallet interaction

Medium

Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as.

Injecting/modifying the static content on the target application without Javascript (Reflected) such as:

Reflected HTML injectionLoading external site dataRedirecting users to malicious websites (Open Redirect)

Low

Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction such as:

Iframing leading to modifying the backend/browser state (must demonstrate impact with PoC)

Taking over broken or expired outgoing links such as:

Social media handles, etc.

Temporarily disabling user to access target site, such as:

Locking up the victim from loginCookie bombing, etc.

Informational

Missing HTTP Headers without demonstrated impactUI/UX best practices recommendations

The following impacts and attack vectors are out of scope:

Attacks that the reporter has already exploited themselves, leading to damageAttacks requiring access to leaked keys/credentialsAttacks requiring access to privileged addresses (governance, strategist), except in such cases where the contracts are intended to have no privileged access to functions that make the attack possibleBroken link hijacking is out of scope

Smart Contracts:

Basic economic governance attacks (e.g., 51% attack)Lack of liquidityBest practice critiquesSybil attacksCentralization risks

Frontend:

Theoretical impacts without any proof or demonstrationContent spoofing / Text injection issuesSelf-XSSCaptcha bypass using OCRCSRF with no security impact (logout CSRF, change language, etc.)Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)Server-side information disclosure such as IPs, server names, and most stack tracesVulnerabilities used to enumerate or confirm the existence of users or tenantsVulnerabilities requiring unlikely user actionsURL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)Lack of SSL/TLS best practicesAttacks involving DDoSAttacks requiring privileged access from within the organizationSPF records for email domainsFeature requestsBest practicesWatchPug Audits:https://www.hacknote.co/17c261f7d8fWbdml/1864eff7124wF20Ghttps://www.hacknote.co/17c261f7d8fWbdml/187022e732aVega9https://www.hacknote.co/17c261f7d8fWbdml/1877a33caa29y5CD

The following activities are prohibited:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnetsAttempting phishing or other social engineering attacksAny attempt to compromise validator, admin, or pauser keysDenial of Service attacksPublic disclosure of an unpatched vulnerabilityAutomated testing of services that generates significant amounts of traffic to our frontendDisclosing vulnerabilities without the approval of the Enosys teamAttempting to sell vulnerability information or exploits

In order to be considered for a reward, all bug reports must contain the following:

Description of suspected vulnerabilitySteps to reproduce the issueYour name and/or colleagues if you wish to be later recognized(Optional) A patch and/or suggestions to resolve the vulnerability

Please submit your bug bounty report by emailing us at bounty@enosys.global.