CoinFLEX Bug Bounty Program

At CoinFLEX, security is of the utmost importance to us and our users. Hence, we wish to present to you the CoinFLEX Bug Bounty Program. The aim of this program is to more effectively engage with our community and supporters in reporting any bugs and vulnerabilities.

Ellipse 16

Responsible Disclosure Policy

CoinFLEX hosts a bug bounty on Immunefi at the address https://immunefi.com/bounty/coinflex/

This can be verified at https://github.com/coinflex-exchange/coinflex-bug-bounty-program/blob/main/bugbounty.md

If you have found a vulnerability in our project, it must be submitted through Immunefi’s platform.

Immunefi will handle bug bounty communications.

See the bounty page at Immunefi for more details on accepted vulnerabilities, payout amounts, and rules of participation.

Bounty Program Rules

If you have found a vulnerability in our project, it must be submitted through Immunefi’s platform. Immunefi will handle bug bounty communications.

Please provide detailed reports with reproducible steps.

If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.

When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

Social engineering (e.g. phishing, vishing, smishing) is prohibited.

Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Only interact with accounts you own or with explicit permission of the account holder.

Please note that only vulnerabilities with a working proof of concept that shows how it can be exploited will be considered eligible for monetary rewards.

We have a testnet (Stage) environment at https://v2stg.coinflex.com.

If you believe a reproduction could potentially harm service of the platform, please do a reproduction on Stage.

Requirements

We require that researchers:

Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

Perform research only within the scope.

Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

If you fulfill these requirements, CoinFLEX will:

Work with you to understand and attempt to resolve the issue quickly (confirming the report within 7 days of submission)

Recognize your contribution in our Security Researcher Hall of Fame, if you are the first to report the issue.

Pay you for your research for unique vulnerabilities that meet the guidelines listed below if you are the first to report the issue to us.

To encourage responsible disclosure, CoinFLEX will not file a lawsuit against you or ask law enforcement to investigate you if we determine that your research and disclosure meets these requirements and guidelines.

If you have any questions regarding the CoinFLEX program, please reach out to [email protected]

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contracts

  • Loss of user funds staked (principal) by freezing or theft
  • Loss of governance funds
  • Theft of unclaimed yield
  • Freezing of unclaimed yield
  • Temporary freezing of funds for X minutes/hours/days
  • Unable to call smart contract
  • Smart contract gas drainage
  • Smart contract fails to deliver promised returns
  • Vote manipulation
  • Incorrect polling actions

Web/App

  • Leak of user data
  • Deletion of user data
  • Redirected funds by address modification
  • Site goes down
  • Accessing sensitive pages without authorization
  • Injection of text 
  • Users spoofing other users
  • Shell access on server

API/Websockets – GUI (protected and auth) and docs.coinflex.com

  • Unauthorised access
  • SQL Injection
  • Chaining
  • Incorrect methods allowed Unexpected behaviour leading to a bug
  • Site going down / service unavailability
  • Leak of user data Deletion or modification of user data
  • Triggering incorrect balance updates
  • Redirecting funds by address modification
  • Accessing sensitive pages without authorisation

Prioritized vulnerabilities

 We are especially interested in receiving and rewarding vulnerabilities of the following types:

 Smart Contracts and Blockchain 

  • Re-entrancy
  • Logic errors
    • including user authentication errors
  • Solidity/EVM details not considered
    • including integer over-/under-flow
    • Including rounding errors
    • including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
    • including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
    • including flash loan attacks
  • Congestion and scalability
    • including running out of gas
    • including block stuffing
    • including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
    • Signature malleability
    • Susceptibility to replay attacks
    • Weak randomness
    • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

Websites and Apps

  • Cross Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • Brute force
  • SQL Injection (SQLi)
  • Insecure storage
  • Authentication related issues
  • Authorization related issues
  • Data Exposure
  • Redirection attacks
  • Remote Code Execution
  • Business Logic
  • Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
  • Mobile-specific API vulnerabilities

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

Websites and Apps

  • Cookie expiration
  • Cookie migration/sharing
  • Forgot password autologin
  • Autologin token reuse
  • Static content over HTTP
  • Vulnerabilities related to offline playback.
  • Free trials
  • Same Site Scripting
  • Physical Testing
  • Social Engineering
  • Insecure deserialization
  • XML external entities (XXE)
  • For example, attempts to steal cookies, fake login pages to collect credentials
  • Phishing
  • Resource Exhaustion attacks
  • Denial of service attacks (DDoS)
  • Issues related to rate limiting
  • Login or Forgot Password page brute force and account lockout not enforced
  • Services listening on port 80
  • Internal IP address disclosure
  • Issues related to cross-domain policies for software such as flash, Silverlight etc. without evidence of an exploitable vulnerability
  • Weak password policies
  • Vulnerabilities impacting only old/end-of-life browsers/plugins including:
  • Issues that have had a patch available from the vendor for at least 6 months
  • Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
  • Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
  • Reports relating to root certificates
  • Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
  • Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore
  • Vulnerability reports relating to sites or network devices not owned by CoinFLEX
  • Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

All bug bounty hunters are required to adhere to the following rules:

  • Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.
  • Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.
  • Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.
  • Perform research only within the scope and, for smart contracts, only on private testnets.
  • Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.
  • When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.
  • Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.

Additional Terms

Your testing must comply with applicable laws. This program is not an offer of employment. Whether to pay a reward and in what amount is at CoinFLEX’s discretion. You are responsible for any taxes associated with a reward you receive. We may modify or cancel this program at any time.

Your Report

Please note your report should contain the following at minimum to be considered:

  • URLs affected
  • Description
  • Impact
  • Proof of concept ( with screenshots or video if applicable)
  • Mitigation/recommended fix
  • Rewards

The rewards are granted on a case by case basis depending on the threat level and report’s quality. Rewards will be paid in BTC.

Smart Contracts and Blockchain

  • Critical Up to USD 100 000
  • High USD 10 000
  • Medium USD 5 000
  • Low USD 1 000

Website and Apps

  • Critical USD 10 000
  • High USD 1 000
  • Medium USD 250
  • Low USD 50

Once your submission is accepted, we will ask you to provide either of the following to receive your reward:

Email address registered on CoinFLEX

Your wallet address

Payments are made every Monday at 3pm UTC. If you have not received payment or a response then please get in touch again.