Mind Network Bug Bounty Program - DropsEarn
Home Active Mind Network Bug Bounty Program
Mind Network Bug Bounty Program

Mind Network Bug Bounty Program

Add to Watchlist

Added to Watchlist

Reward pool

Not set

USDC

Expected profit

up to $50,000

up to 50,000 USDC

Max participants

No limit

DropsEarn score

Neutral

Hard, Low Risks

Details

Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Mind Network, quality, creativity, or novelty of submissions may modify payouts within a given range. In case of multiple reports about the same issue,Mind Network will reward the earliest submission, regardless of how the issue was reported. CVSS standards will be used for vulnerability rating (CVSS3.1).

Blockchain & SmartContracts

Severity Description Reward
Critical Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. 10,000 ~ 50,000 USDC
High High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. 2,500 ~ 10,000 USDC
Medium Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. 500 ~ 2,500 USDC
Low Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. 50 ~ 500 USDC

Websites and Applications

Severity Description Reward
Critical Critical severity vulnerabilities will have a significant impact on the security of the project, and it is strongly recommended to fix the critical vulnerabilities. 1,000 ~ 5,000 USDC
High High severity vulnerabilities will affect the normal operation of the project. It is strongly recommended to fix high-risk vulnerabilities. 300 ~ 1,000 USDC
Medium Medium severity vulnerability will affect the operation of the project. It is recommended to fix medium-risk vulnerabilities. 100 ~ 300 USDC
Low Low severity vulnerabilities may affect the operation of the project in certain scenarios. It is suggested that the project team should evaluate and consider whether these vulnerabilities need to be fixed. 0 ~ 100 USDC

Scopes

Smart Contract

In Scope  
Source Code GitHub Repo

Contract Address

Contract Name Chain Name Chain ID Contract Address
Strategy-STONE ethereum 1 0xB072Fd98D0111f3F0420262F61b5829c9A092e56
Strategy-eETH ethereum 1 0x421B0974467aEFA3E601968812CAD1f4c815004d
Strategy-ezETH ethereum 1 0xa3E3dc1f87A9B77abff3a507EBDBa684e3bb5F4f
Strategy-stETH ethereum 1 0x8600F649B39c37993f0E95Fd7E0e570C6475d708
MToken-STONE ethereum 1 0xaB594175aeA69F8d8eF5C40eeF988b27e7Dd1Db8
MToken-eETH ethereum 1 0xfA1caBe0Cdc19Bc9FC346F3e0961CC762f517D9E
MToken-ezETH ethereum 1 0x6DEc9C5a65dc82543f62Ec9747F84b97b9E2a280
MToken-stETH ethereum 1 0x1d64a52C1966E1d9a28D2d8Dec17645bd18D2034
Strategy-MockSTONE sepolia 11155111 0x0952C34b9E96Ed75dEB1d4c113BcEd84E2b8d7a1
MToken-MockSTONE sepolia 11155111 0x9877bA030355c71a8F676e1fb478CF23DFf7C930

Websites and application

In Scope  
Websites and application dapp.mindnetwork.xyz
Websites and application dapptest.mindnetwork.xyz
Websites and application www.mindnetwork.xyz

Out of Scopes

Websites and Applications

  • Theoretical impacts without any proof or demonstration
  • Impacts involving attacks requiring physical access to the victim device
  • Impacts involving attacks requiring access to the local network of the victim
  • Reflected plain text injection (e.g. url parameters, path, etc.)
  • This does not exclude reflected HTML injection with or without JavaScript
  • This does not exclude persistent plain text injection
  • Any impacts involving self-XSS
  • Captcha bypass using OCR without impact demonstration
  • CSRF with no state modifying security impact (e.g. logout CSRF)
  • Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as "httponly") without demonstration of impact
  • Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
  • Lack of SSL/TLS best practices
  • Impacts that only require DDoS
  • UX and UI impacts that do not materially disrupt use of the platform
  • Impacts primarily caused by browser/plugin defects
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
  • SPF/DMARC misconfigured records
  • Missing HTTP Headers without demonstrated impact
  • Automated scanner reports without demonstrated impact
  • UI/UX best practice recommendations
  • Non-future-proof NFT rendering.

Reporting rules

  • Rewards or recognition require that the Mind Network security team can reproduce and verify an issue and that the security impact is clear;
  • Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc;
  • Do not conduct social engineering and phishing to people;
  • Do not leak the details of the vulnerability;
  • Do not use a scanner for large-scale scanning. If the business system or network becomes unavailable, it will be handled according to relevant laws;
  • Those who test the vulnerability should try to avoid modifying the page directly, continuing popping up the message box (log is recommended for XSS verification), stealing Cookies, and obtaining aggressive payload such as the user information (for blind XSS testing, please use DNSLog). If you accidentally used a more aggressive payload, please delete it in time;
  • Vulnerability testing is only limited to PoC(proof of concept), and destructive testing is strictly prohibited. If harms are caused inadvertently during the testing, it should be reported in time. Meanwhile, sensitive operations performed in the test, such as deletion, modification, and other operations, are required to be explained in the report.test, such as deletion, modification, and other operations, are required to be explained in the report.

Links

About

Mind Network introduces an FHE Restaking Layer built upon the restaking framework to further scale consensus security.

Activity Type

Bug bounty

Development

Tech

Date

from 1 Jun 2024 07:27(UTC+3)

Registration

Open

When Reward:

None

Event Status

You can participate(Event started, Registration open)