The Bancor 3 Bug Bounty aims to incentivize responsible disclosures of any bugs in the Bancor 3 smart contracts. Starting with the official Beta launch, the contracts-v3 repository is subject to the bounty program.
Rewards are allocated based on the severity of the bug disclosed and awarded up to USD 1 million. The scope, terms and rewards are at the sole discretion of the Bprotocol Foundation.
All vulnerabilities disclosed prior to the official launch of Bancor 3 (scheduled for the middle of May 2022) will be eligible to receive higher rewards.
Scope
The list below is not limited to the following submissions but it gives an overview of the issues we care about:
- Stealing or loss of funds
- Unauthorized transactions
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Privacy violation
- Cryptographic flaws
- Reentrancy
- Logic errors (including user authentication errors)
- Solidity details not considered, including integer over-/under-flow, rounding errors, unhandled exceptions)
- Trusting trust/dependency vulnerabilities, including composability vulnerabilities)
- Oracle failure/manipulation
- Novel governance attacks and economic/financial attacks, including flash loan attacks
- Congestion and scalability, including running out of gas, block stuffing, susceptibility to frontrunning
- Consensus failures
- Cryptography problems, e.g., signature malleability, susceptibility to replay attacks, weak randomness and weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
- Issues arising from whitelisted tokens
Original announcement can be viewed here.