The scope consists of all Solidity contracts in the github repository. The commit hash within audit scope is
Greatest areas of interest are:
Stealing assets, both NFTs and other types of tokens.
Freezing contracts and assets, both NFTs and other types of tokens.
Bypassing: unauthorized access or escalating permissions in any contract.
All matters related to the custom Bonding Curve.
Not in scope:
Anything covered by existing disclosures and audits.
Frontend software and general infrastructure.
Social engineering, Denial of Service, Mining and Frontrunning vectors.
Third party contracts or code.
All terms related to bounties including eligibility and rewards are at the discretion of the NIFTEX team.
Public disclosure of a vulnerability makes it ineligible for a bounty. Instead issues must be submitted to [email protected]
Steps to replicate the issue must be provided.
The issue must be unknown to the team and not covered by existing audits or other users.
Do not disclose vulnerabilities until after they have been fixed.
Do not violate any applicable laws.
Do not run exploits on mainnet or testnet.
Do not profit or allow others to profit from issues found outside of bounty rewards.
Paid auditors are not eligible for rewards.
Rewards are determined using OWASP risk rating methodology taking into account likelihood and impact of the issue:
Critical: up to $10,000.
High: up to $5,000.
Medium: up to $2,000.
Low: up to $500.
Exact determination is at the sole discretion of the NIFTEX team, and also depends on elements such as the quality of the description, the quality of reproducibility, and the quality of the fix, if included. Vulnerability tiers encompass the following (based on the Authereum bug bounty program):
Critical Severity: Attackers can unilaterally exploit the finding without significant roadblocks or special conditions outside attacker control. They can steal or freeze all user assets. They can acquire admin abilities (upgrade, add admin key, remove admin key, etc.) or maliciously trigger or prevent them.
High Severity: Attackers can steal or freeze some user's assets. An attacker may be able to acquire admin abilities (upgrade, add admin key, remove admin key, etc.) or maliciously trigger or prevent them.
Medium Severity: An attacker may disrupt the system but is not able to access funds. They can hinder users and their experience, or render the any part of the NIFTEX system in a suboptimal state for a short time.
Low Severity: An attacker may cause unexpected behavior to the system, but does not cause downtime or affect any user's funds.
The program currently has a budget of $50,000.
Please allow time for the team to investigate an issue once reported.
Documentation can be found at docs.niftex.org.
The Ethereum Bounty Program's FAQ has an example of what a good submission should look like.
The bug bounty program is an experimental and discretionary rewards program for the active NIFTEX community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of NIFTEX team. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.