ImmuneFi Bug Bounty Launched!

Octopus Network is a brand new multichain network born to serve application-specific blockchains, aka appchains. Octopus Network provides flexible and affordable leased security, out-of-box cross-chain interoperability, one-stop infrastructure, and a rich network of communities for appchains.

As we continue to grow this offering, we’ll be focusing on components that streamline the risk and requirements of launching an independent blockchain. Recently we’ve completed an audit with Halborn for our registry smart contract, the mechanism that regulates appchains’ enrollment and launch process. To continue our journey, we are open-sourcing our security by establishing a bug bounty program for our two primary Rust contracts on NEAR Protocol. This program will be operated by our partner ImmuneFi inside the parameters that follow.

The bug bounty program is focused on two key smart contracts to prevent:

• Loss of user funds staked/delegated by freezing or theft
• Loss of governance funds
• Governance vote manipulation
• Theft of unclaimed rewards
• Freezing of unclaimed rewards
• Temporary freezing of funds for at least 30 minutes

This scope is limited to the anchor and registry contracts found on Github. This scope does not include any considerations or known issues covered in the Halborn audit. No other assets of Octopus Network are considered in-scope for this bounty. Please read to the bottom for more details on rules and acceptable conditions.

Additionally, only certain impacts are in scope for this program. Any other impacts found outside this scope will be considered for a reward when presented ethically to the Octopus Network team, however this bounty program is specifically limited to the impacts listed in the bullet points above.

Rewards will be distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required, considering the likelihood of a successful exploit. Inside this schema we will award $50,000 USDC to critical-level bugs and $10,000 USDC for high-level bugs.

All bug reports must come with a proof-of-concept where any resulting effect on in-scope assets are documented clearly. Explanations and statements are not accepted as PoC and code is required. Without a clear definition of the bug and documentation we cannot consider distributing a reward.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

We look forward to harnessing the amazing expertise found both in and outside our communities. It’s challenging to replicate the Octopus Network solution as a whole, but if any vulnerabilities or exploits are able to be leveraged, it must be done so in a test/demo environment. We look forward to reviewing your submissions!

Click here for the official bounty page on the ImmuneFi website: happy hacking and good luck!