Obyte
Program Overview
Obyte is a distributed ledger based on directed acyclic graph (DAG) and is without middlemen. Unlike centralized ledgers and blockchains, access to the Obyte ledger is decentralized, disintermediated, free (as in freedom), equal, and open.
The Obyte Foundation is interested in securing their network, their core library, their GUI wallet, and one of their autonomous agents (smart contract). Primary areas of concern are around loss of user funds, DoS, and total network shutdown.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, and in Obyte’s case, its DAG, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
In order to qualify for the reward of USD 50 000, the bug reported must be able to cause unrecoverable total network shutdown of the entire Obyte network or allow the unpermitted execution of transactions from accounts of other users without their private keys. All other critical bug reports are capped at USD 2 500.
Theft of yield/interest in this bug bounty program is considered Low.
All web and app bug reports must come with a PoC. All bug reports submitted without PoC will be rejected with instructions to provide PoC.
The web/app impacts of “Stealing User Cookies” and “Bypassing Authentication” are only accepted if they result in a loss of at least USD 1 000. The web/app impact of “Ability to execute system commands” is only accepted if the actions are done as root.
Payouts are handled by the Obyte Foundation directly and are denominated in USD. The payout can be completed in GBYTE, BTC, or OUSD.
Smart Contract
- Critical
- Level
- up to USD $50,000
- Payout
- High
- Level
- USD $2,000
- Payout
- Medium
- Level
- USD $1,000
- Payout
Websites and Applications
- Critical
- Level
- USD $2,500
- Payout
- High
- Level
- USD $2,000
- Payout
- Medium
- Level
- USD $1,000
- Payout
Assets in scope
- Smart ContractType
- Smart Contract - Autonomous Agent (similar to Ethereum Smart Contract)Type
- Smart Contract - Smart Contracts and Autonomous Agents for Counterstake cross-chain bridgeType
- Websites and Applications - WalletType
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Blockchain/DLT
- Network not being able to confirm new transactions (Total network shutdown)CriticalImpact
- Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)CriticalImpact
- Direct loss of fundsCriticalImpact
- Permanent freezing of funds (fix requires hardfork)CriticalImpact
- Unintended chain split (Network partition)HighImpact
- Transient consensus failuresHighImpact
- High compute consumption by full nodesMediumImpact
- Attacks against thin clientsMediumImpact
- DoS of greater than 30% of order provider nodes and does not shut down the networkMediumImpact
- DoS of greater than 10% but less than 30% of order provider nodes and does not shut down the networkLowImpact
- Underpricing transaction fees relative to computation timeLowImpact
Smart Contract
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Any governance voting result manipulationCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Temporary freezing of fundsHighImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Griefing (e.g. no profit motive for an attacker, but significant damage to the users or the protocol)MediumImpact
- Theft of gasMediumImpact
- Unbounded gas consumptionMediumImpact
- Contract fails to deliver promised returns, but doesn't lose valueLowImpact
Websites and Applications
- Ability to execute system commandsCriticalImpact
- Extract Sensitive data/files from the serverCriticalImpact
- Taking Down the application/websiteCriticalImpact
- Stealing User CookiesCriticalImpact
- Bypassing AuthenticationCriticalImpact
- Redirection of user deposits and withdrawalsCriticalImpact
- Signing transactions for other usersCriticalImpact
- Subdomain takeover resulting in financial loss (applicable for subdomains with addresses published)CriticalImpact
- Wallet interaction modification resulting in financial lossCriticalImpact
- Direct theft of user fundsCriticalImpact
- Tampering with transactions submitted from the user’s walletCriticalImpact
- Spoofing content on the target application (Persistent)HighImpact
- Users Confidential information disclosure such as EmailHighImpact
- Privilege escalation to access unauthorized functionalitiesHighImpact
- Changing details of other users without direct financial impact (CSRF)MediumImpact
- Third-Party API keys leakage that demonstrates loss of funds or modification on the websiteMediumImpact
- Redirecting users to malicious websites (Open Redirect)MediumImpact
- Framing sensitive pages leading to financial loss (ClickJacking)LowImpact
- Any impact involving a publicly released CVE without a working PoCLowImpact
- Broken Link HijackingLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and DAG
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
Websites and Apps
- Theoretical vulnerabilities without any proof or demonstration
- Content spoofing / Text injection issues
- Self-XSS
- Captcha bypass using OCR
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Vulnerabilities requiring unlikely user actions
- URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
- Lack of SSL/TLS best practices
- DDoS vulnerabilities
- Attacks requiring privileged access from within the organization
- Requests for new features
- Bugs without proof-of-concept exploits showing impact
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty