Huge thank you to everybody who participated!! We’ll be contacting participants with their rewards over the coming days
It’s of the utmost importance to us that these particular Crystal contracts are secure and players kept safe. With the launch of World of Ether nearing, we invite the blockchain community to help with this.
If you’re a developer who’d like to take part, here’s what you need to know:
- Crystal contracts are
ERC-20tokens with limited added functionality. They only allow minting from 2 designated proxy contracts, one of which is a sales contract. - The CrystalSale contract allows for the purchasing or a randomly generated Crystal.
- Each of the 5 Crystals has 1 ‘use’ function that initiates logic in proxy contract after tokens are transferred to it.
- Crystals are
ERC20tokens and, as such, can be sold and traded on 3rd party platforms and exchanges.
For a list of basic operations, please see here.
The bounty program is running on the Rinkeby Test Network and will be open until 9/11/18 11 PM EST.
All code necessary for this bounty is publically available within this repo.
The exploits, vulnerabilities, and issues we most care about are:
- Stealing a Crystal.
- Manipulating the use or purchase of a Crystal.
- Anything that ‘breaks’ the contracts.
- Any sort of malfunction.
- Issues that our team already know about, either through our own testing or through submission, are not eligible for bounty rewards.
- This bounty is only concerning the World of Ether smart contracts included in this repo.
- Reports will only be accepted via GitHub issues submitted to this repo.
- The World of Ether team will look at several variables in determining rewards. Eligibility, compensation, and everything having to do with rewards are ultimately up to the WoE team.
- Having a safe and secure dApp improves the entire blockchain ecosystem. Spam and actions that are clearly not in good faith will not be tolerated. Please use your discretion to only act in ways that are reasonable!
The value of the rewards depends on Severity, which is calculated based on Impact and Likelihood as followed by the OWASP Risk Rating Methodology.
Note: Rewards are ultimately up to the discretion of the WoE team.
- The following bullets are for if we have a point system. 1 point equaled 1 USD:
- Critical: up to 2000 points
- High: up to 1000 points
- Medium: up to 500 points
- Low: up to 250 points
- Note: up to 100 points
Examples of [Impact]:
- High: Steal a Crystal from someone, steal/redirect ETH or Crystals to another address, block actions for all users or some non-trivial fraction of users, create a Crystal without purchase.
- Medium: Break random rules, lock a Crystal owned by an address you don't control, manipulate Crystal price.
- Low: cancel or block another user's action.
How to Get a High Score:
- Give a clear description. Include code snippets, screenshots, and/or detailed reports. Make it easy for us to see where the issue is and what specifically it is.
- Suggest a fix. If you can suggest a good solution, you will earn more.
We always strive to act responsibly and in good faith. Here are some rules that govern us for this bug bounty:
- Individuals on the World of Ether team are not eligible to receive rewards.
- We will do our best to respond to your vulnerability submission in a timely manner. We’ll try to respond within a day or under three days.
- We’ll keep you updated as we resolve your submission.
- We’ll let you know if your submission qualifies for a reward in under five business days.
- If eligible, we will deliver your reward in under eight business days.
- Overall, we promise to review your submission and reward in a manner consistent with the high levels of integrity that the blockchain community deserves. Your participation is extremely valued, and we want you to be compensated accordingly.
If you need an easy way to format your submission, you can use the order listed below. Please remember to be clear in your descriptions and give code snippets where possible.
- Description: Give a description of the vulnerability.
- Scenario: What caused the vulnerability to occur? What are the requirements for it?
- Impact: What does the vulnerability result in? Who and/or what is affected?
- Reproduction: Similar to scenario, how do we recreate the bug? Give exact steps on how to recreate the vulnerability on a new contract, and provide specific tx hashes or accounts used if possible.
- Fix: Do you have a recommended fix to the vulnerability, or any ideas on how to fix it?
- Note: Is there anything else you need to tell us about the vulnerability?
ETH Wallet Address: If eligible, we will send your reward to wallet address you provide here.
Additionally, please take note that if we cannot recreate your bug, then a (Truffle) test case will be necessary.
Frequently Asked Questions:
-
How are bounties paid to participants?
- Once the submission has been validated, rewards are paid in ETH. This will likely be a few days after validation. Please provide your ETH wallet address with your submission.
-
I reported a vulnerability but have not heard back.
- It’s our goal to respond in as timely a manner as possible. With this said, if the issue is urgent, you can reach us at: hello@worldofether.com.
-
Can I use the code in this repo anywhere I’d like.
- No. The code in this repo is only for reviewing, not for copying.
-
Will the code here change during the course of the bounty?
- Yes. As vulnerabilities are fixed, we will be updating the code. Please make sure your vulnerabilities are on the latest version of this code.
-
I need help setting up the contracts.
- For help setting up or anything code related, please join the World of Ether Gitter.
This bug bounty exists to reward those who are improving the smart contracts that govern the World of Ether decentralized application. This bug bounty is a community endeavor, and thus free for anybody to join. Please note that the bounty can be closed for any reason or at any time, and the rewards are at the sole discretion of the World of Ether team. This bug bounty is not an employment agreement of any kind.
All rewards are subject to applicable law and thus applicable taxes. Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc. Lastly, your testing must not violate any law or compromise any data that is not yours.
Copyright (c) 2018 World of Ether LLC
