$100,000 of Push x ImmuneFi Bug Bounty Program goes Live 🪲
Push Smart Contract v2 Bug Bounty Program
Are you a skilled security researchers looking for an exciting challenge and the opportunity to earn big? Look no further!
We are thrilled to announce the launch of the Push’s collaborative Bug Bounty Program with Immunefi and calling all hackers to participate!
See the full Immunefi report👉 here.
Your objective will be to identify and report vulnerabilities in Push’s smart contracts V2, read more about Pushv2. It’s your chance to contribute to the security of the Push ecosystem while being rewarded for your efforts.
Time to sharpen your hacking tools and join us in this exciting adventure!
Exciting Rewards are Waiting for You
Are you up for the challenge? This is your chance to showcase your research and hacking skills and earn exciting rewards. The Push x ImmuneFi Bug Bounty Program offers payouts based on the severity of the identified vulnerabilities.
The rewards by threat/severity level are as follows:
đź”´ Critical Severity Level: USD 80,000 up to USD 100,000
đźź High Severity Level: USD 10,000 up to USD 50,000
🟡 Medium Severity Level: USD 1,500
⚪ Low Severity Level: USD 1,000
At all severity levels, a proof of concept (PoC) is required. You can find the PoC guidelines and rules here.
Assets in Scope
There are 5 Push smart contract assets you can identify and report potential vulnerabilities for. To aid you in your bug-hunting journey, we have made all of these assets easily accessible right here:
PushCoreV2 Github 👉Smart Contract — PushCoreV2.sol
CoreStorageV2 Github👉Smart Contract — EPNSCoreStorageV2.sol
CoreStorageV1_5 Github👉Smart Contract — EPNSCoreStorageV1_5.sol
PushCommV2 Github👉Smart Contract — PushCommV2.sol
CommStorageV1_5.sol👉Smart Contract — EPNSCommStorageV1_5.sol
Developer Resources
- All Push Protocol code can also be found at this page here.
- Deep dive into Push v2 contract features at this page here.
- Join our Discord for technical support https://discord.com/invite/pushprotocol
- Additional resources to learn more about Push Contracts:
Impacts in Scope
You’re now ready to start some bug-hunting! But before you start, take a look at the impacts considered in the scope for the Bounty Program and the severity level of each impact:
Critical Security Level:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Drain of Funds from contract
- Loss of funds due to bridging of tokens
High Security Level:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
- User/Stakers being able to harvest more tokens than they should be able to.
- User/Stakers being able to harvest without staking for at least 1 complete epoch.
Medium Security Level:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
- Unfair reward distribution between users with equal staking details like token weight, stake duration etc.
Low Security Level:
- Contract fails to deliver promised returns, but doesn’t lose value
All other impacts are not considered as in-scope, even if they affect something within the assets listed in the scope table. You can find all other details about the severity levels, bug impacts, program guidelines, and rules in the report provided by Immunefi.
Hackers and devs, it’s your time to shine! Join us in securing the Push ecosystem and earn big for your valuable contributions. We look forward to seeing what you uncover.
About Push Protocol
Push is the communication protocol of web3. Push protocol enables cross-chain notifications and messaging for dapps, wallets, and services tied to wallet addresses in an open, gasless, and platform-agnostic fashion. The open communication layer allows any crypto wallet /frontend to tap into the network and get the communication across.
To keep up-to-date with Push Protocol: Website, Twitter, Telegram, Discord, YouTube, and Linktree.