Flamingo Finance Bug Bounty Program

Hello everyone, today I want to talk about the bug-finding program for a fee from Flamingo Finance.

This article was created for informational purposes, respecting copyright, in order to familiarize users with the bug bounty program. The author does not encourage you to carry out what will be in the article, all reasoning is a figment of imagination, any coincidences are unintentional and accidental. The goal is to help the project secure and make it known that if you find an error or bug, you can report it in good faith, and not use it for personal purposes or to harm users or the project. The article will contain materials from open sources. All links will be at the end of the article.

Are you a cybersecurity specialist using smart contracts and want to make money? This article is definitely for you, even if you are not a cybersecurity professional, this article will be useful. Well, a little introduction, what is Flamingo Finance?

It is a DeFi platform where users can convert assets, package them and provide liquidity, for which you earn income. The Smart Staking function is interesting, the main difference between regular staking is that with 1 click you do the actions that you would have been doing for quite a long time.

https://immunefi.com/bounty/flamingofinance/

Program overview. I suggest starting with awards. The best part is first. Rewards will be divided into levels. I marked them with emoticons.

😡 — Critical ,😱 — High ,😇 — Medium, 😄- Short

Smart contracts —

😡 reward up to one million dollars ($1,000,000)

😱 40000$

😇 4000$

😄 1000$

Web sites — 😡 25000$ 😱 10000$

😇 1000$

Why are there more rewards for smart contracts than for websites?

The fact is that it is difficult to find a vulnerability in smart contracts; projects often conduct audits, where the very first vulnerabilities are identified that can be found using statistical applications (it is prohibited to use this in the program). Because of this, when it would seem that vulnerabilities should not exist, they exist, and they need to be found. This article is an overview of this program, and some useful parts of this article can help you find a vulnerability and take one of the rewards. On the contrary, it is also difficult to find vulnerabilities in web applications. By the way, one more thing, you can write ProofOfConcept, but you don’t have to write, why is this cool?

If you are familiar with PoC, then it is difficult to write, even if there are examples on the Foundry, but when you think that you have found a vulnerability, it is the PoC that will show the vulnerability or not.

The difference between web3 and web3 PoC is that in web3, you do it in a private simulated environment, this is Remix VM Shangai/London, Hardhat and Foundry. In Web2, you make a video or instruction where you describe actions that lead to harm for the application or site.

Smart contracts (web3)Web applications (web2)

Smart contracts where you can search for vulnerabilities can be found here, as well as a link to the web application:
https://immunefi.com/bounty/flamingofinance/

What can be said about smart contracts, that you will see there a smart contract of staking (the one that you use smart staking), swap (to change funds), all of them are on GitHub, if you find others, even if you find vulnerabilities there you will not receive the reward and will not claim it. What is important to know?

These smart contracts are not in the Solidity language.

For which you will not get money, even if you find a vulnerability.
Attacks that you have already used and which caused damage,

for example, they found a vulnerability, and then sent another report about the same vulnerability
Attacks that require access to leaked keys/credentials, i.e.
without the password which I forgot about a year ago, it will not work

Attacks that require access to privileged addresses (management, strategist) (this is exactly the admin panel, social engineering no less).

Smart contracts and blockchain

Incorrect data provided by third party oracles (you used 1 other project in the works, but it provided you that FLM is worth $1,000,000
Do not rule out oracle manipulation/fast loan attacks
You attack and cause damage, immediately
Basic attacks on economic governance (e.g. 51% attack)
Lack of liquidity
Criticism of best practices
Sibyl attacks
Risks of centralization

Websites and apps

Theoretical vulnerabilities without any proof or demonstration

You wrote in the report “There is a vulnerability here, because I think so,” but there is no evidence that it exists

Substitution of content/problems with text embedding

For example, you change the content directly on the site, for example the logo

Self-hosted XSS

They made the code and implemented it, and caused damage to the project :(

Bypass captcha using OCR

Ocr is a feature that bypasses captchas, using it violates the rules

CSRF without security impact (CSRF exit, language change, etc.)
There are no HTTP security headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”).

I would focus on this most of all, because this is the most important thing, in fact it is a bridge between good and evil, or some kind of I don’t know, a shortcut. That is, let’s say you found a vulnerability, but you disclosed this information.

Vulnerabilities used to enumerate or verify the existence of users or tenants.
Vulnerabilities that require low-probability user action

For example, to make a deposit, I made 300 tabs, and then to withdraw money from each one and then turn off Wi-Fi, turn it on and do the splits :)

URL redirects (unless they are combined with another vulnerability, creating a more severe vulnerability)
Lack of SSL/TLS best practices.
DDoS vulnerabilities
Attacks that require privileged access from within the organization
Feature requests
Best practicsThe most important section is what is PROHIBITED
Any testing using mainnet or public testnet contracts; all testing must be done on private test networksThis applies to smart contracts. When you write a POC, this is actually an attack that occurs on the project, and if it is done on a smart contract, trouble will not be avoided.
Any testing using pricing oracles or third-party smart contracts.This is a difficult rule to understand, probably when you are using something other than an application.
Attempting phishing or other social engineering attacks against our employees and/or customers.Specifically, this means that you pose as someone influential in order to harm the project, and offer to follow a link, for example.
Any testing using third party systems and applications (for example, browser extensions) or websites (for example, single sign-on providers, advertising networks).This refers to applications that “read” and “verify” a smart contract or application. That is, suppose there is a service that will help you find vulnerabilities for $5. So why is it forbidden? The service will generate traffic and collect information that may be publicly available. For example, there will be a vulnerability in it. And an attacker can “intercept” it.
Any denial of service attackThis is generally an attack when the site simply does not work. No way.
Automated testing of services that generate significant volumes of trafficThis applies more to a type like slither, the same as the $5 service.
Public disclosure of an unpatched vulnerability as part of an embargoed reward

This is the most important thing if you found a vulnerability, sent a report, and it was confirmed to you. It was confirmed and you will receive payment; you should not write on medium, twitter, reddit and other similar networks, and even to friends and family about the vulnerability. This is very important because you can harm the project even seemingly if it was “helped.”

A little overview of what you will get money for.

Direct theft of any user funds, at rest or in motion, with the exception of unclaimed profits.

Let’s delve a little deeper into what this can mean, if you look at GitHub and see that “something is wrong”, and in your head, scroll through how the function works, what it does, why there is something wrong in it, and what could the scenario be if you were an attacker, how would you take advantage of this? It is important to think about what action could lead to this, and how you could protect yourself from this and help the project.

Permanent freezing of funds

Permanent, suppose you have contributed 1 FLM to staking, someone will decide to take advantage of this, some condition is written in the smart contract, and your 1 FLM will be stored, you will not be able to do anything with them.

Protocol failure

When a protocol cannot work, under certain vulnerabilities, and where an attacker can attack the protocol, and by attack produce a failure state.

Theft of unclaimed crops

When an attacker can steal the funds you have staked. You cannot take them off, but they have already been stolen from you.

Permanent freezing of unclaimed crops

When you staked, your funds were frozen.

Temporary freezing of funds

The same as above, but temporarily, 1 day or 1 month.

The smart contract cannot work due to lack of token funds

The smart contract cannot work due to lack of token funds

Block stuffing for profit

An attack by an attacker that blocks your ability to receive your tokens or funds.

Woe (for example, the attacker has no profit motive, but causes harm to users or the protocol)

Grifting is a common vulnerability; an attacker takes advantage of the vulnerability to harm users who stake, but has no goal of withdrawing funds.

Gas theft

When you sent 1 FLM, you spend gas, for example 0.0000001324 FLM, and because of a vulnerability this amount was stolen from you.

Unlimited gas consumption

The thing is, when the amount of gas is 0.0000001324 FLM, increase to 1 FLM until all funds are drawn out.

The contract does not bring the promised profit, but does not lose value

When staking says 1 FLM should come to you, but you receive 0.99999 FLM.

Execute arbitrary system commands on critical infrastructure

When you can on a website, for example, in a part where there are other people’s tools, access it, or execute commands that should only be performed by an administrator or developer.

Extract sensitive data that could result in loss of funds from a running server, such as /etc/shadow, database passwords, and blockchain keys (this does not include non-sensitive environment variables, open source code, or usernames).

A bit like a keylogger, when a found vulnerability leads to this, that is, you can extract data that leads to the loss of funds, for example, passwords or databases, on some page or using an attack, and thus you, let’s say, received my key password, I registered on the platform, but let’s say I found a way from another account to take my information from the site.

Deleting an application/site

This is a vulnerability if I create an application and delete it from another account or virtual machine, and thereby harm users, including myself.