LCX, the Liechtenstein Cryptoassets Exchange, is a next generation cryptocurrency exchange and was founded in 2018. LCX has obtained 8 crypto-related registrations by the Financial Market Authority Liechtenstein, operates in accordance with the new blockchain laws, and has introduced a comprehensive crypto compliance suite.
In Scope
Target |
Type |
Severity |
Reward |
*.LCX.com |
Web |
Critical |
Bounty |
API https://exchange.lcx.com/v1/docs/ |
API |
Critical |
Bounty |
In-Scope Vulnerabilities
We are interested in the following vulnerabilities:
- Business logic issues
- Remote code execution (RCE)
- Payments manipulation or significant manipulation of account balance
- XSS/CSRF/Clickjacking affecting sensitive actions with clear PoC and significant impact. Sensitive actions include: depositing, trading, or sending money; OAuth or API Key actions or manipulation
- Theft of privileged information. Privileged information includes: KYC data, passwords, API keys or equivalent
- Injection vulnerabilities (SQL, XXE)
- File inclusions (Local & Remote)
- Access Control Issues (IDOR, Privilege Escalation, etc)
- Leakage of sensitive information
- Server-Side Request Forgery (SSRF)
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Directory traversal
- Other vulnerability with a clear potential loss
- Partial authentication bypass
- Other XSS (excluding Self-XSS)
- Other vulnerability with clear potential for financial or data loss
-
- Other CSRF (excluding logout CSRF)
Out-of-Scope Vulnerabilities
Vulnerabilities found in out of scope resources are unlikely to be rewarded unless they present a serious business risk (at our sole discretion). In general, the following vulnerabilities do not correspond to the severity threshold:
- Vulnerabilities in third-party applications
- Assets that do not belong to the company
- Best practices concerns
- Recently (less than 30 days) disclosed 0day vulnerabilities
- Vulnerabilities affecting users of outdated browsers or platforms
- Social engineering, phishing, physical, or other fraud activities
- Publicly accessible login panels without proof of exploitation
- Reports that state that software is out of date/vulnerable without a proof of concept
- Reports that generated by scanners or any automated or active exploit tools
- Vulnerabilities involving active content such as web browser add-ons
- Most brute-forcing issues without clear impact
- Denial of service (DoS/DDoS)
- Theoretical issues
- Moderately Sensitive Information Disclosure
- Spam (sms, email, etc)
- Missing HTTP security headers
-
Infrastructure vulnerabilities, including:
-
Certificates/TLS/SSL-related issues;
- DNS issues (i.e. MX records, SPF records, DMARC records etc.);
-
Server configuration issues (i.e., open ports, TLS, etc.)
-
Open redirects
- Session fixation
- User account enumeration
- Clickjacking/Tapjacking and issues only exploitable through clickjacking/tap jacking
- Descriptive error messages (e.g. Stack Traces, application or server errors)
- Self-XSS that cannot be used to exploit other users
- Login & Logout CSRF
- Weak Captcha/Captcha Bypass
- Lack of Secure and HTTPOnly cookie flags
- Username/email enumeration via Login/Forgot Password Page error messages
- CSRF in forms that are available to anonymous users (e.g. the contact form)
- OPTIONS/TRACE HTTP method enabled
- Host header issues without proof-of-concept demonstrating the vulnerability
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Content Spoofing without embedded links/HTML
- Reflected File Download (RFD)
- Mixed HTTP Content
- HTTPS Mixed Content Scripts
- Manipulation with Password Reset Token
- MitM and local attacks
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
In Scope
Scope Type |
Scope Name |
api |
API |
web_application |
*.LCX.com |
This program have been found on Hackenproof on 2021-09-13.