BlockchainSpace Bug Bounty Program with ImmuneFi
BlockchainSpace, through its bug bounty program with ImmuneFi, is seeking participants to assess their smart contracts for vulnerabilities.
Program Overview
BlockchainSpace enables play-to-earn guilds to scale in the metaverse. We build tools to empower gaming communities and run academies to identify economic opportunities in the play-to-earn ecosystem.
For more information about BlockchainSpace, please visit https://www.blockchainspace.asia/.
This bug bounty program is for their smart contracts and is focused on preventing:
- Thefts and freezing of principal of any amount
- Thefts and freezing of unclaimed yield of any amount
- Theft of governance funds
- Governance activity disruption
Rewards by threat level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.
Smart Contracts and Blockchain
Critical USD 50 000
High USD 30 000
Medium USD 20 000
Low USD 10 000
All Low, Medium, High, and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward.
Payouts are handled by the BlockchainSpace team directly and are denominated in USD. However, payouts are done in ETH.
Assets in Scope
Target Type
Smart Contract — Core
https://github.com/vault-tec-team/vault-tec-core/tree/main/contracts
Smart Contract — Guild Token
https://github.com/BlockchainSpace-Dev/guild-token/
In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.
Smart Contracts/Blockchain
Loss of user funds staked (principal) by freezing or theft
Loss of governance funds
Theft of unclaimed yield
Freezing of unclaimed yield
Unable to call smart contract
Smart contract gas drainage
Smart contract fails to deliver promised returns
Vote manipulation
Incorrect polling actions
Prioritized vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
Smart Contracts and Blockchain
Re-entrancy
Logic errors
including user authentication errors
Solidity/EVM details not considered
including integer over-/under-flow
including rounding errors
including unhandled exceptions
Trusting trust/dependency vulnerabilities
including composability vulnerabilities
Oracle failure/manipulation
Novel governance attacks
Economic/financial attacks
including flash loan attacks
Congestion and scalability
including running out of gas
including block stuffing
including susceptibility to frontrunning
Consensus failures
Cryptography problems
Signature malleability
Susceptibility to replay attacks
Weak randomness
Weak encryption
Susceptibility to block timestamp manipulation
Missing access controls / unprotected internal or debugging interfaces
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks
The following activities are prohibited by this bug bounty program:
Any testing with mainnet or public testnet contracts; all testing should be done on private testnets.
Any testing with pricing oracles or third party smart contracts.
Attempting phishing or other social engineering attacks against our employees and/or customers.
Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks.
Automated testing of services that generates significant amounts of traffic.
Public disclosure of an unpatched vulnerability in an embargoed bounty.
