Program Overview
Bitfari is a new protocol for digital advertising and ambient social media that makes cities smarter.
For more information about Bitfari, please read the whitepaper here: https://bitfari.org/whitepaper/
This bug bounty program is focused on Bitfari’s smart contracts. The focus is preventing:
- Loss of user funds
- Loss of governance funds
- Theft of unclaimed ad space
- Freezing of unclaimed ad space
- Temporary freezing of funds
- Unable to access a smart contract
Rewards by Level
We measure thread-level using a simplified 5-level scale. Where threats in smart contracts come first, threats in websites/apps come second and the severity of an exploit is correlated with the entangled nature of the unit where it was found. A highly connected smart contract or module where a bug is found is according to our scale a bigger threat and we’ll pay accordingly for it to be found and fixed.
Smart Contracts and Blockchain
Web and Apps
* These payment figures are for mainnet. If a bug is found on testnet, we will paid half of the figures above.
Prioritized Vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
Smart Contracts and Blockchain
- Logic errors
- including user authentication errors
- Trusting trust/dependency vulnerabilities
- including composability vulnerabilities
- Oracle failure/manipulation
- Novel governance attacks
- Economic/financial attacks
- Congestion and scalability
- including running out of gas
- including block stuffing
- including susceptibility to frontrunning
- Consensus failures
- Cryptography problems
- Signature malleability
- Susceptibility to replay attacks
- Weak randomness
- Weak encryption
- Susceptibility to block timestamp manipulation
- Missing access controls / unprotected internal or debugging interfaces
Websites and Apps
- Remote Code Execution
- Trusting trust/dependency vulnerabilities
- Vertical Privilege Escalation
- XML External Entities Injection
- SQL Injection
- LFI/RFI
- Horizontal Privilege Escalation
- Stored XSS
- Reflective XSS with impact
- CSRF with impact
- Direct object reference
- Internal SSRF
- Session fixation
- Insecure Deserialization
- DOM XSS
- SSL misconfigurations
- SSL/TLS issues (weak crypto, improper setup)
- URL redirect
- Clickjacking
- Misleading Unicode text