Mind Network Bug Bounty Program
Add to Watchlist
Added to Watchlist
Reward pool
Not set
USDC
Expected profit
up to $50,000
up to 50,000 USDC
Max participants
∞
No limit
DropsEarn score
Neutral
Hard, Low Risks
Details
Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Mind Network, quality, creativity, or novelty of submissions may modify payouts within a given range. In case of multiple reports about the same issue,Mind Network will reward the earliest submission, regardless of how the issue was reported. CVSS standards will be used for vulnerability rating (CVSS3.1).
Blockchain & SmartContracts
Severity | Description | Reward |
---|---|---|
Critical | Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. | 10,000 ~ 50,000 USDC |
High | High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. | 2,500 ~ 10,000 USDC |
Medium | Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. | 500 ~ 2,500 USDC |
Low | Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. | 50 ~ 500 USDC |
Websites and Applications
Severity | Description | Reward |
---|---|---|
Critical | Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. | 1,000 ~ 5,000 USDC |
High | High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. | 300 ~ 1,000 USDC |
Medium | Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. | 100 ~ 300 USDC |
Low | Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. | 0 ~ 100 USDC |
Scopes
Smart Contract
In Scope | |
---|---|
Source Code | GitHub Repo |
Contract Address
Contract Name | Chain Name | Chain ID | Contract Address |
---|---|---|---|
Strategy-STONE | ethereum | 1 | 0xB072Fd98D0111f3F0420262F61b5829c9A092e56 |
Strategy-eETH | ethereum | 1 | 0x421B0974467aEFA3E601968812CAD1f4c815004d |
Strategy-ezETH | ethereum | 1 | 0xa3E3dc1f87A9B77abff3a507EBDBa684e3bb5F4f |
Strategy-stETH | ethereum | 1 | 0x8600F649B39c37993f0E95Fd7E0e570C6475d708 |
MToken-STONE | ethereum | 1 | 0xaB594175aeA69F8d8eF5C40eeF988b27e7Dd1Db8 |
MToken-eETH | ethereum | 1 | 0xfA1caBe0Cdc19Bc9FC346F3e0961CC762f517D9E |
MToken-ezETH | ethereum | 1 | 0x6DEc9C5a65dc82543f62Ec9747F84b97b9E2a280 |
MToken-stETH | ethereum | 1 | 0x1d64a52C1966E1d9a28D2d8Dec17645bd18D2034 |
Strategy-MockSTONE | sepolia | 11155111 | 0x0952C34b9E96Ed75dEB1d4c113BcEd84E2b8d7a1 |
MToken-MockSTONE | sepolia | 11155111 | 0x9877bA030355c71a8F676e1fb478CF23DFf7C930 |
Websites and application
In Scope | |
---|---|
Websites and application | dapp.mindnetwork.xyz |
Websites and application | dapptest.mindnetwork.xyz |
Websites and application | www.mindnetwork.xyz |
Out of Scopes
Websites and Applications
- Theoretical impacts without any proof or demonstration
- Impacts involving attacks requiring physical access to the victim device
- Impacts involving attacks requiring access to the local network of the victim
- Reflected plain text injection (e.g. url parameters, path, etc.)
- This does not exclude reflected HTML injection with or without JavaScript
- This does not exclude persistent plain text injection
- Any impacts involving self-XSS
- Captcha bypass using OCR without impact demonstration
- CSRF with no state modifying security impact (e.g. logout CSRF)
- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly") without demonstration of impact
- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
- Impacts causing only the enumeration or confirmation of the existence of users or tenants
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
- Lack of SSL/TLS best practices
- Impacts that only require DDoS
- UX and UI impacts that do not materially disrupt use of the platform
- Impacts primarily caused by browser/plugin defects
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
- SPF/DMARC misconfigured records
- Missing HTTP Headers without demonstrated impact
- Automated scanner reports without demonstrated impact
- UI/UX best practice recommendations
- Non-future-proof NFT rendering.
Reporting rules
- Rewards or recognition require that the Mind Network security team can reproduce and verify an issue and that the security impact is clear;
- Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;
- Do not conduct social engineering and phishing to people;
- Do not leak the details of the vulnerability;
- Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
- Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;
- Vulnerability testing is only limited to PoC(proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.test, such as deletion, modification, and other operations, are required to be explained in the report.
Links
About
Mind Network introduces an FHE Restaking Layer built upon the restaking framework to further scale consensus security.
from 1 Jun 2024 07:27(UTC+3)
Open
None
You can participate(Event started, Registration open)