Bunicorn is an automated market-making (AMM) decentralized exchange (DEX). The program is focused on the prevention of loss of user funds.

Scope

In Scope

Focus Area

IN-SCOPE VULNERABILITIES

Note: Under the Github link, only smart contract vulnerabilities are considered in-scope for the bug bounty program. Testnet contracts are out-of-scope.

We are interested in the following Smart Contracts and Blockchain vulnerabilities:

• Reentrancy
• Logic errors
• Including user authentication errors
• Solidity/EVM details not considered
• Including integer over-/under-flow
• Including rounding errors
• Including unhandled exceptions
• Trusting trust/dependency vulnerabilities
• Including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
• Including flash loan attacks
• Congestion and scalability
• Including running out of gas
• Including block stuffing
• Including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
• Signature malleability
• Susceptibility to replay attacks
• Weak randomness
• Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces

We are interested in the following WEB vulnerabilities:

• Business logic issues
• Payments manipulation
• Remote code execution (RCE)
• Database vulnerability, SQLi
• File inclusions (Local & Remote)
• Access Control Issues (IDOR, Privilege Escalation, etc)
• Leakage of sensitive information
• Server-Side Request Forgery (SSRF)
• Other vulnerability with a clear potential loss

OUT-OF-SCOPE-VULNERABILITIES

OUT OF SCOPE - Smart Contracts and Blockchain

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
• Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

OUT OF SCOPE - WEB APPS

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

• Vulnerabilities in third-party applications
• Best practices concerns
• Recently (less than 30 days) disclosed 0day vulnerabilities
• Vulnerabilities affecting users of outdated browsers or platforms
• Social engineering, phishing, physical, or other fraud activities
• Publicly accessible login panels without proof of exploitation
• Reports that state that software is out of date/vulnerable without a proof of concept
• Vulnerabilities involving active content such as web browser add-ons
• Most brute-forcing issues without clear impact
• Denial of service
• Theoretical issues
• Moderately Sensitive Information Disclosure
• Spam (sms, email, etc)
• Missing HTTP security headers
• Infrastructure vulnerabilities
• Open redirects
• Session fixation
• User account enumeration
• Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
• Descriptive error messages (e.g. Stack Traces, application or server errors)
• Self-XSS that cannot be used to exploit other users
• Login & Logout CSRF
• Weak Captcha/Captcha Bypass
• Lack of Secure and HTTPOnly cookie flags
• Username/email enumeration via Login/Forgot Password Page error messages
• CSRF in forms that are available to anonymous users (e.g. the contact form)
• OPTIONS/TRACE HTTP method enabled
• Host header issues without proof-of-concept demonstrating the vulnerability
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Content Spoofing without embedded links/HTML
• Reflected File Download (RFD)
• Mixed HTTP Content
• HTTPS Mixed Content Scripts
• DoS/DDoS issues
• Manipulation with Password Reset Token
• MitM and local attacks

Program Rules

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services or infrastructure
• Avoid compromising any personal data, interruption or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Rewards

Smart Contracts and Blockchain

• Critical: USD 20 000 - USD 50 000
• High: USD 10 000 - USD 20 000
• Medium: USD 2 000 - USD 5 000
• Low: Up to USD 2 000

Website and Apps

• Critical: USD 3 000
• High: USD 2 000
• Medium: USD 1 000
• Low: USD 500

Notes:

Rewards for Smart Contract vulnerabilities are variable based on their exploitability, and other factors deemed relevant by the Bunicorn team. For critical vulnerabilities, the payout is capped at 10% of economic damage. For critical smart contract vulnerabilities, up to 80% of the reward may be paid out in BUNI.