Bug Bounty For TOP Cross-Chain Bridge Open Test Is Launched
The TOP cross-chain bridge testnet version supports ETH and stablecoin (USDT) assets to cross between the ETH chain and the TOP chain. Now the test version of the TOP cross-chain bridge is open to the public, and we are inviting you to participate in the test! Be a TOP hunter and get rewards from it. Up to 15,000,000 TOP for a single issue! Happy hunting!
⏰Duration: August 5 — August 24, 2022 (UTC+8)
Critical: 10,000,000 -15,000,000 TOP per issue
High: 1,000,000 -8,000,000 TOP per issue
Medium: 100,000–1,000,000 TOP per issue
📌Bug Bounty Rules:
1. The TOP team will jointly review the submitted issues and reward hunters according to the severity of the problems.
2. Hunters should provide a complete issue description, test address, transaction hash, screenshot of issues, and so on.
3. For the same questions, first come first served.
4. Known issues and some pre-clarified contents are not included in this bug bounty program.
Note: The TOP team has the right to interpret the bug bounty program.
Join TOP Telegram for further discussion👇
How to join the TOP cross-chain bridge open test?
1. Visit the TOP cross-chain bridge
Open the link in a browser with a Metamask wallet, such as Chrome, Firefox, etc. Metamask will automatically add TOP Testnet and ETH Testnet, and there is no need to add RPC manually. You can switch manually afterward.
2. Get test tokens from the TOP faucet
You can get the following test tokens from the faucet each time:
ETH Testnet: 0.1 ETH, 30 USDT
TOP Testnet: 0.05 ETH
Open the TOP faucet, and enter a valid Ethereum-formatted address to get the test tokens. You can get tokens again after 72 hours.
3. Add stable coins to Metamask
The cross-chain bridge is connected by default to ETH Testnet. Please manually add stablecoin tokens in Metamask.
📌ETH Testnet — USDT token address：0x4268F1891609dE171d0896136571DE15C91d91Bd
📌TOP Testnet — USDT token address：0x7e3aC793663dEb959710C8CE6929A3c860f5479A
4. Start testing in the cross-chain bridge
Before the test, please confirm that you have received test tokens in your wallet address. Please also check the information of #6 & #7 first.
✨Click the Cross-chain link
1️⃣A. Cross ETH assets to TOP chain
a) Enter the number of assets you want to transfer, click Transfer to complete the transaction, and you will see the Pending transaction on the right side.
b) Wait for the cross-chain contract to be executed until Pending is changed to Claim (estimated 20 minutes).
c) Click Claim again, Metamask will add TOP Testnet.
d) Click Claim again to complete the transaction. Check the TOP address balance afterward.
2️⃣B. Cross TOP assets to ETH chain
a) Select From as TOP, enter the number of assets you want to transfer, click Transfer to complete the transaction, and you will see the Pending transaction on the right side.
b) Wait for the cross-chain contract to be executed until Pending is changed to Claim (estimated at 8 hours).
c) Click Claim again, Metamask will automatically switch the chain to ETH Testnet.
d) Click Claim again to complete the transaction. Check the ETH address balance afterward.
5. Issues recording and submission
During the test, please refer to the issues range given by the TOP team, and at the same time record the issues found in the form of screenshots and the operation process clearly. If necessary, keep the transaction hash.
📍After the test, submit the issues you find to the form.
6. Definition of issue severity
It can cause a lot of economic losses to the contract business system, large-scale data confusion, out-of-control rights management, failure of key functions, loss of credibility, or indirectly affect the correct operation of other smart contracts associated with it and cause a lot of losses, and other serious and mostly irreversible issues including but not limited to:
a) Additional issuance or overspending of assets
b) Loss or freezing of other people’s assets
c) Asset theft or unauthorized spending
d) The core business logic of smart contracts is arbitrarily tampered with or bypassed, such as transfers, charges, accounting, etc.
e) The key verification logic of smart contracts is bypassed, such as signature verification, proof verification, authentication, etc.
Issues found but can’t be resolved temporarily including but not limited to:
a) Other obviously dangerous and sensitive information is unexpectedly leaked.
b) Gas fee vulnerability
It can pose a security threat to the contract business system, and be risks and issues that need to be improved including but not limited to:
a) The operation stability of smart contracts is affected, such as abnormally high contract invocation failure rate, abnormally high resource consumption, etc.
b) Smart contracts can be triggered by false or error events.
c) The operation process is interrupted but resumed without loss of assets.
d) Gas design is not reasonable.
7. Cross-chain bridge known issues and issues not included in the bug bounty
A. Cross-chain bridge known issues
a) The total amount of the TOP cross-chain transaction only shows the gas fee, not the cross-chain amount.
b) When TOP’s smart contract burns ETH token, Metamask only displays the gas fee, not the burn value.
B. User special tips
a) When you send cross-chain transactions with Metamask, the transaction will be stuck in the sending state for a long time, resulting in unsuccessful sending. The solution is as follows: click the account icon in Metamask’s upper right corner to enter the account list page, click Settings, and then click Advanced to reset the account, then initiate cross-chain transaction again.
b) There may be a delay in updating or displaying cross-chain transactions, you can wait after confirming that the transaction completes successfully.
C. The following vulnerabilities are excluded from the rewards for this bug bounty program
a) Previously known vulnerabilities (resolved or not) on the TOP network (and any other fork of these).
b) Feature request & Best practice
c) Attacks requiring privileged access from within the organization
d) Vulnerabilities only exploitable on out-of-date browsers or platforms
e) Vulnerabilities built on ‘user impossible action’
f) Page compatibility
We sincerely invite you to take part in the TOP cross-chain bridge test and jointly construct a safe TOP ecosystem. Happy hunting!