50076 policies in database
Link to program      
2021-06-21
Bunicorn logo
Thank
Gift
HOF
Reward

500 HKN 

Bunicorn

Bunicorn is an automated market-making (AMM) decentralized exchange (DEX). The program is focused on the prevention of loss of user funds.

Scope

In Scope

Target Type Severity Reward
Smart Contracts https://github.com/bunicorndefi SC Critical Bounty
Web staging.buni.finance Web Critical Bounty

Focus Area

IN-SCOPE VULNERABILITIES

Note: Under the Github link, only smart contract vulnerabilities are considered in-scope for the bug bounty program. Testnet contracts are out-of-scope.

We are interested in the following Smart Contracts and Blockchain vulnerabilities:

  • Reentrancy
  • Logic errors
  • Including user authentication errors
  • Solidity/EVM details not considered
  • Including integer over-/under-flow
  • Including rounding errors
  • Including unhandled exceptions
  • Trusting trust/dependency vulnerabilities
  • Including composability vulnerabilities
  • Oracle failure/manipulation
  • Novel governance attacks
  • Economic/financial attacks
  • Including flash loan attacks
  • Congestion and scalability
  • Including running out of gas
  • Including block stuffing
  • Including susceptibility to frontrunning
  • Consensus failures
  • Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
  • Susceptibility to block timestamp manipulation
  • Missing access controls / unprotected internal or debugging interfaces

We are interested in the following WEB vulnerabilities:

  • Business logic issues
  • Payments manipulation
  • Remote code execution (RCE)
  • Database vulnerability, SQLi
  • File inclusions (Local & Remote)
  • Access Control Issues (IDOR, Privilege Escalation, etc)
  • Leakage of sensitive information
  • Server-Side Request Forgery (SSRF)
  • Other vulnerability with a clear potential loss

OUT-OF-SCOPE-VULNERABILITIES

OUT OF SCOPE - Smart Contracts and Blockchain

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks

OUT OF SCOPE - WEB APPS

Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:

  • Vulnerabilities in third-party applications
  • Best practices concerns
  • Recently (less than 30 days) disclosed 0day vulnerabilities
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Social engineering, phishing, physical, or other fraud activities
  • Publicly accessible login panels without proof of exploitation
  • Reports that state that software is out of date/vulnerable without a proof of concept
  • Vulnerabilities involving active content such as web browser add-ons
  • Most brute-forcing issues without clear impact
  • Denial of service
  • Theoretical issues
  • Moderately Sensitive Information Disclosure
  • Spam (sms, email, etc)
  • Missing HTTP security headers
  • Infrastructure vulnerabilities
  • Open redirects
  • Session fixation
  • User account enumeration
  • Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Self-XSS that cannot be used to exploit other users
  • Login & Logout CSRF
  • Weak Captcha/Captcha Bypass
  • Lack of Secure and HTTPOnly cookie flags
  • Username/email enumeration via Login/Forgot Password Page error messages
  • CSRF in forms that are available to anonymous users (e.g. the contact form)
  • OPTIONS/TRACE HTTP method enabled
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Content Spoofing without embedded links/HTML
  • Reflected File Download (RFD)
  • Mixed HTTP Content
  • HTTPS Mixed Content Scripts
  • DoS/DDoS issues
  • Manipulation with Password Reset Token
  • MitM and local attacks

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services or infrastructure
  • Avoid compromising any personal data, interruption or degradation of any service
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Don’t break any law and stay in the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

Rewards

Smart Contracts and Blockchain

  • Critical: USD 20 000 - USD 50 000
  • High: USD 10 000 - USD 20 000
  • Medium: USD 2 000 - USD 5 000
  • Low: Up to USD 2 000

Website and Apps

  • Critical: USD 3 000
  • High: USD 2 000
  • Medium: USD 1 000
  • Low: USD 500

Notes:

Rewards for Smart Contract vulnerabilities are variable based on their exploitability, and other factors deemed relevant by the Bunicorn team. For critical vulnerabilities, the payout is capped at 10% of economic damage. For critical smart contract vulnerabilities, up to 80% of the reward may be paid out in BUNI.

In Scope

Scope Type Scope Name
undefined

Smart Contracts

web_application

Web


This program have been found on Hackenproof on 2021-06-21.

FireBounty © 2015-2024

Legal notices | Privacy policy