We are starting a bug bounty program for Eximchain token smart contracts. Discovery of major bugs will be rewarded up to $10,000 in BTC. Very severe vulnerabilities will be rewarded up to $20,000 in BTC.
Most of the rules found on https://bounty.ethereum.org also apply to the Eximchain bounty program:
- First come, first serve
- Issues that have already been submitted by another user, or are already known to the Eximchain team, are not eligible for bounty rewards
- Public disclosure of a bug or vulnerability makes it ineligible for a bounty reward
- Paid auditors of this code are not eligible for bounty rewards
- Determinations of eligibility, score and all terms related to bounty reward are at the sole and final discretion of the Eximchain team
Scope:
The following files are in the scope of this bounty program:
EximchainTokenConfig.sol
ERC20Interface.sol
Functional Specification:
Should deploy a token with the proper configuration
Should allocate tokens per the minting function, and validate balances
Should transfer tokens from
Should not transfer negative token amounts
Should not transfer more tokens than you have
Should not allow address to transfer more tokens than authorized from
Should allow funds transfers back to the owner, before the token is finalized
Should not allow any user <-> user funds transfers before finalization
Should allow the ops address to be set properly by the owner
Should allow tokens to be burned at any time, even before finalization
Should only be able to be finalized once
Should allow tokens to be burned at any time
Should allow the contract to be initialized by a proper token
Should allow the wallet address to be changed by the owner, or the operator
Should allow the owner to configure the contract
Should allow the contracts to be suspended and resumed
Should allow the owner and operators to setup whitelists via updateWhitelist and updateWhitelistBatch
Should not allow purchase until minimum requirements are met, including that the sender and receiver are whitelisted
Should cleanly handle token reclaim
Timeline:
As of this announcement, the Eximchain Bug Bounty Program has already started and valid bug reports will be compensated. After the token launch, the bounty program will only cover the functionality that is relevant to the ERC20 token specification. The bug bounty runs from February 23rd 10am EST until February 28th 10am EST ( 5 days)
Compensation:
The value of bounty rewards will vary depending upon severity. The severity of a bug or vulnerability is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
Bounty Reward Structure:
Note: Up to $100 in BTC (Lowest Impact, Lowest Likelihood)
Low: Up to $2,000 in BTC
Medium: Up to $5,000 in BTC
High: Up to $10,000 in BTC
Critical: Up to $20,000 in BTC (Highest Impact, Highest Likelihood)
Example: If you found a way to steal the funds raised from the token, the bug will be considered a critical bug. If you found a way to mint EXC, this will be regarded as bug with high severity.
The quality of a submission will also affect the amount of compensation. A high quality submission would consist of:
- An explanation of how the bug can be reproduced
- A failing test case
- A fix that makes the test case pass
High quality submissions may be awarded compensation amounts higher than the amounts specified above.
We request that you please give us a reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.
Contact:
We encourage submissions of bug reports as issues in the Github repository. If you are already a member of our Telegram Group https://t.me/eximchain, it is also possible to contact us there.
You may also direct your submissions to juan@eximchain.com. We also welcome anonymous submissions.
