Overview
At Switcheo, we take security very seriously. We’ve allocated a substantial amount of time and resources to the security of our trading smart contracts, and our exchange web UI. However, cyber-security is asymmetrical in nature, and our platform is only as strong as its weakest link.
We cannot hope to catch all bugs ourselves, and with this in mind, we’re glad to be able to detail how our security bug bounty program will work. We would like to invite all hackers to help us harden our platform, and we encourage the community to disclose any security vulnerabilities responsibly through this bug bounty program.
While participating in our bounty program, please do not attempt any form of testing on MainNet contracts or live API. Do not attempt to affect the assets or functionality of any user besides yourself. Vulnerabilities reports which violate this clauses will not be rewarded any bounty.
We have an isolated TestNet for testing smart contracts, and a sandboxed API for testing APIs. The available endpoints are listed below.
Security
We’ve categorised security issues based on it’s origin and severity, and have listed the endpoints (scope) available for bounty.
Exchange / Wallet (Web UI) Vulnerabilities
Web Endpoints: https://switcheo.exchange/* (ensure TestNet is selected)
API Endpoints: https://test-api.switcheo.network/*, https://test-db.switcheo.network/*
Node Endpoints: https://seed{1–4}.switcheo.network:20331
Here are the reportable vulnerabilities for our Web UI / API:
Critical
- Exposure of (any form of) users’ private keys to a 3rd party
- Any practical attack which can cause unauthorized asset transfers or loss of users’ assets
High
- Stored XSS (on Switcheo’s API)
- SQL injections (on Switcheo’s API)
- Vulnerable TLS configuration (for Switcheo domains)
- Vulnerable DNS configuration (for Switcheo domains)
- Transactions formed and broadcasted through normal use that result in unrecoverable loss of users’ assets
Moderate
- Denial of Service
- Reflected XSS
- Practical MITM attacks
- Business logic errors that result in unintended transactions
Low
- Vulnerable CSP configuration
- Lack of web best practices
None
- Cosmetic issues
- Transactions failing due to order contention
- Business logic errors that do not result in unintended transactions
Smart Contract Security
Smart contract repository: https://github.com/ConjurTech/switcheo
Here are the reportable vulnerabilities for our exchange smart contracts:
Critical
- Unauthorized withdrawal of assets from smart contract
- Unreversible loss of user’s assets after making a valid transaction
- Arbitrary manipulation of smart contract storage
- Double spending (or variation of)
High
- Business logic errors
- Precision errors
- Integer overflows / underflows
- Possibility for a transaction with valid inputs to fault unexpectedly
Moderate
- Denial of Service
- Possibility for a transaction with invalid inputs to fault unexpectedly, resulting in a loss of assets
Low
- Lack of smart contract best practices
Rewards
Bounty will be rewarded based on the degree of severity of the vulnerability. Duplicate issues already made on Github, or already filed by other persons on Hackerone cannot be rewarded again. Issues already made public by the team or a 3rd party cannot be rewarded. Once again, please perform your tests on TestNet and sandboxed APIs to be eligible for bounty.
If your issue is not categorized in our above list, please use the CVSS calculator on Hackerone. The final severity will be determined at the sole discretion of our security team.
Critical (min. USD 3,000)
These vulnerabilities affect assets owned by users. Eligible issues will be awarded a minimum bounty of USD 3,000 .
High (min. USD 1,000)
These vulnerabilities affect the correct execution of trades. Eligible issues will be awarded a minimum bounty of USD 1,000.
Moderate (min. USD 500)
These vulnerabilities affect the availability of our platform, or can affect the safe operation of our exchange by users. Eligible issues will be awarded a minimum bounty of USD 500.
Low (min. USD 250)
These issues can help increase the security of our platform through layered security (defence in depth). Eligible issues will be awarded a minimum bounty of USD 250.
None (min. USD 0)
These issues are not classified as security vulnerabilities and therefore do not have a minimum reward.
Responsible Disclosure
Publicly disclosing a vulnerability can put all Switcheo users at risk. If you have discovered a possible vulnerability, please disclose the vulnerability at https://hackerone.com/switcheo_network or email us directly security@switcheo.network if the first option does not work for you.
We will work with you to assess and understand the scope of the issue and fully address any concerns. All security emails and vulnerability reports are immediately forwarded to our security engineering team to ensure that issues are addressed rapidly. Any security reports are treated with the highest priority as the safety and security of our service is our primary concern.
