immunefi.com
Open in
urlscan Pro
2606:4700:20::681a:9dd
Public Scan
URL:
https://immunefi.com/bounty/zerion/
Submission: On March 02 via automatic, source links-suspicious — Scanned from DE
Submission: On March 02 via automatic, source links-suspicious — Scanned from DE
Form analysis
1 forms found in the DOM<form>
<div class="grid gap-4 rounded-md bg-gray-900 py-4 px-4 sm:grid-rows-2 lg:grid-cols-2 lg:grid-rows-none lg:gap-10 lg:px-4">
<div>
<p class="text-center text-base lg:text-left xl:text-lg">Hackers subscribed to our newsletter are <br class="hidden sm:inline-block"> more likely to earn a Bounty</p>
</div>
<div class="grid grid-cols-6">
<div class="col-span-4 xl:col-span-5"><input class=" flex h-full w-full appearance-none rounded-sm border-none bg-black py-1 px-2 text-sm text-gray-400 outline-none sm:text-base " type="text" placeholder="Your email, please"
aria-label="Full name" value=""></div><button class="
col-span-2
rounded-sm
bg-teal-500
p-2
text-sm
font-medium
text-white
sm:text-base
xl:col-span-1
bg-gradient-to-r from-gradientPurple to-gradientPink
false
hover:opacity-80
" type="submit">Prove it</button>
</div>
</div>
</form>
Text Content
Open menu Close menu How it works - WhitehatsLearnWhitehat leaderboardHow it works - ProjectsBoostManaged TriageVaultsLoginExplore bounties Projects How it WorksHelp for ProjectsVaults Whitehats How it WorksHelp for WhitehatsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of Fame Managed TriageBoostLoginExplore bounties ZERION Submit a Bug 29 March 2022 Live since Yes KYC required $25,000 Maximum bounty 29 December 2022 Last updated PROGRAM OVERVIEW At Zerion, we are on a mission to empower more people around the world with efficient, transparent, and censorship-resistant financial services. We do this by building applications, tools, and infrastructure enabling any smartphone holder, anywhere in the world, to build and manage their decentralized finance (DeFi) portfolios. The company was founded in 2016 by a technical team of crypto-native builders who sought to change the way centralized financial services work, primarily driven by experiencing the lack of financial opportunity within their countries. Zerion has grown to become one of the most popular DeFi interfaces in the world. Since inception, Zerion has processed over $1 billion in transaction volume and serves more than 200K monthly active users from over 150 countries. Zerion gives customers access to more than 50,000 digital assets, 60 protocols & all NFTs on the Ethereum blockchain through their app, which streamlines the UI of DeFi. Users can access tokens and invest through the app similar to exchanges like Coinbase or Gemini, but do so using their own personal wallets like MetaMask, meaning user funds and private keys aren’t controlled by or accessible to Zerion. For more information about Zerion, please visit https://zerion.io/. This bug bounty program is focused on their smart contracts, website and app and is focused on preventing: * Loss of user funds * Leak of user data * Deletion of user data REWARDS BY THREAT LEVEL Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported. All web/app bug reports and Critical/High/Medium smart contract bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all Critical/High/Medium bug reports must come with a suggestion for a fix in order to be considered for a reward. The following known issues are considered to be out of scope of this bounty program: * All issues highlighted previously in the following audit report: * Peckshield Audit for DeFi SDK (August, 2020): https://drive.google.com/file/d/158GG-J681xAc4d8pMibpP_SFJikX4HPM/view?usp=sharing * Audit: https://github.com/zeriontech/defi-sdk/blob/interactive/audits/Zerion%20DeFi%20SDK%20Trail%20of%20Bits%20Audit%20Report.pdf * External apps having integrations with Zerion Rewards for critical smart contract vulnerabilities are further capped at 10% of economic damage, with the main consideration being the funds affected in addition to PR and brand considerations, at the discretion of the team. However, there is a minimum reward of USD 10 000 for Critical bug reports. Critical website and application bug reports will be rewarded with the full USD 15 000 only if the impact leads to a direct loss in funds or a manipulation of the votes or the voting result, as well as the modification of its display leading to a misrepresentation of the result or vote. All other impacts that would be classified as Critical would be rewarded no more than USD 10 000. Zerion requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed is email address, full name, and country of residence. Payouts are handled by the Zerion team directly and are denominated in USD. However, payouts are done in USDC or DAI. Smart Contract CriticalLevel Up to USD $25,000Payout PoC Required HighLevel USD $7,500Payout PoC Required MediumLevel USD $1,000Payout PoC Required Websites and Applications CriticalLevel Up to USD $15,000Payout PoC Required HighLevel USD $7,500Payout PoC Required MediumLevel USD $1,000Payout PoC Required ASSETS IN SCOPE * https://etherscan.io/address/0xB2BE281e8b11b47FeC825973fc8BB95332022A54 Target Smart Contract - DEFI_SDK_ROUTER_ADDRESS Type * https://etherscan.io/address/0xd291328a6c202c5b18dcb24f279f69de1e065f70 Target Smart Contract - DEFI_SDK_CORE_ADDRESS Type * https://etherscan.io/address/0x8B62C02091FE06AE3454D3c12921B32611Ba5501 Target Smart Contract - AAVE_ASSET_ADAPTER Type * https://etherscan.io/address/0x445830226347ef75867502e00e8D663842114F19 Target Smart Contract - WETH_ASSET_ADAPTER Type * https://etherscan.io/address/0xE1F28c0D8527eb28784bA15F6FF0A4371d7598E1 Target Smart Contract - UNISWAP_ASSET_ADAPTER Type * https://etherscan.io/address/0xE1F28c0D8527eb28784bA15F6FF0A4371d7598E1 Target Smart Contract - UNISWAP_EXCHANGE_ADAPTER Type * https://etherscan.io/address/0x3b862d6f9ef92D3fF2142EC80A8968895B09127F Target Smart Contract - SUSHISWAP_EXCHANGE_ADAPTER Type * https://etherscan.io/address/0xb8d9Ee15858799f9205a8d119C5050540feED6A5 Target Smart Contract - COMPOUND_ASSET_ADAPTER Type * https://etherscan.io/address/0x77515760f30121Ea22D1cB9Fedcd5DD1BD8d3f15 Target Smart Contract - AAVE_ASSET_ADAPTER Type * https://etherscan.io/address/0x30EC4Ba79d951FA780b3B09158002854B6067847 Target Smart Contract - AAVE_V2_ASSET_ADAPTER Type * https://etherscan.io/address/0x1CeeA546AB6A3A3ee7Bc24cB1fac9e9Fe39a7368 Target Smart Contract - CURVE_ASSET_ADAPTER Type * https://etherscan.io/address/0x8Da0A907a1bdbB440D1fdb450672a8C003bc4f3A Target Smart Contract - CURVE_EXCHANGE_ADAPTER Type * https://etherscan.io/address/0xD893569CEf4AE3603bb7d688ca9d9C7111706cb3 Target Smart Contract - BALANCER_ASSET_ADAPTER Type * https://etherscan.io/address/0x6E02147cef2f078Da89f5913363C90420D934799 Target Smart Contract - BALANCER_V2_ASSET_ADAPTER Type * https://etherscan.io/address/0x3516CA4cB19ECcc401a9C0D13C7fDb6b73990979 Target Smart Contract - YEARN_ASSET_ADAPTER Type * https://etherscan.io/address/0xab1C497D853296881FE65BeD48861eFD6CeB74Ee Target Smart Contract - TOKEN_SET_REBALANCING_ADAPTER Type * https://etherscan.io/address/0x76Ee466c5957310cfB793AC21097FE5786665961 Target Smart Contract - TOKEN_SET_NAV_ADAPTER Type * https://etherscan.io/address/0xAd748736E9436C8CB155a1F37c725C5a5170ba4A Target Smart Contract - TOKEN_SET_BASIC_ADAPTER Type * https://etherscan.io/address/0x0A1D55a66F89b683163FefC7AaCD83fECc9872B1 Target Smart Contract - BALANCER_MULTIINPUT_ADAPTER Type * https://etherscan.io/address/0x2BcDedbEB99Fb3B9383Fd686faAbDb6172FC6503 Target Smart Contract - ONE_INCH_EXCHANGE_V2_ADAPTER Type * https://etherscan.io/address/0xe6189b3Ad3Fb3fAa87A336F00c93ECd3ac25d80d Target Smart Contract - ONE_INCH_EXCHANGE_V3_ADAPTER Type * https://etherscan.io/address/0xD8f929FB13DAe09AAb49d812b8D0c80682d53696 Target Smart Contract - ONE_INCH_LP_ASSET_ADAPTER Type * https://etherscan.io/address/0xe8C49A47f4385cCb6C90F5Fb0c0Aedc7E6e79EB0 Target Smart Contract - ZERO_EX_EXCHANGE_ADAPTER Type * https://etherscan.io/address/0xC9d30Ea2188eF0525b6328173FC9101539D2AA5A Target Smart Contract - DODO_ASSET_ADAPTER Type * https://etherscan.io/address/0x278e57924Cd50cbE436586b35b8a1D5df9181165 Target Smart Contract - DODO_V2_ASSET_ADAPTER Type * https://etherscan.io/address/0xAA048b52c765222008072472c5C2c2D47C02b4f1 Target Smart Contract - OUSD_ASSET_ADAPTER Type * https://etherscan.io/address/0x31eb370a944213482B1B8990dC5A196d06b63F84 Target Smart Contract - ALPHA_HOMORA_V2_ASSET_ADAPTER Type * https://etherscan.io/address/0xe07C8e0f18083E66C65522Befc29887231ca3629 Target Smart Contract - AMUN_BASKET_ASSET_ADAPTER Type * https://etherscan.io/address/0x784d97c29Ef870eB5D94c90B146d86d829384FC6 Target Smart Contract - AMUN_LENDING_ASSET_ADAPTER Type * https://etherscan.io/address/0xc63e807bC6D65b84971b0A8CF8A673e551C9F85a Target Smart Contract - AMUN_LIQUIDITY_ASSET_ADAPTER Type * https://etherscan.io/address/0x288C14e3C6ECC8EeeCb5DDAb9a600591b7aD966E Target Smart Contract - ZERO_EX_ORDERS_V2_EXCHANGE_ADAPTER Type * https://etherscan.io/address/0x57551aba668a66d07Ffed72f4c09c2dA5223E4e4 Target Smart Contract - G_UNI_ASSET_ADAPTER Type * https://etherscan.io/address/0xC65756160866FCB7644e9AaC6C4B5832Da3A1c4b Target Smart Contract - UNISWAP_V3_EXCHANGE_ADAPTER Type * https://play.google.com/store/apps/details?id=io.zerion.android&hl=en_US&gl=US Target Websites and Applications - Zerion Android App Type * https://apps.apple.com/us/app/zerion-crypto-defi-wallet/id1456732565 Target Websites and Applications - Zerion Apple App Type * https://app.zerion.io/ Target Websites and Applications Type All smart contracts of Zerion can be found at https://github.com/zeriontech/defi-sdk. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program. IMPACTS IN SCOPE Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table. SMART CONTRACT * Theft and/or permanent freezing of assets Critical Impact * Any logic manipulation Critical Impact * Temporary freezing of funds for at least 1 hour High Impact * Unable to call smart contract Medium Impact * Unbounded gas consumption Medium Impact * Theft of gas Medium Impact WEBSITES AND APPLICATIONS * Leak of user data Critical Impact * Deletion of user data Critical Impact * Redirected funds by address modification Critical Impact * Site goes down Critical Impact * Accessing sensitive pages without authorization Critical Impact * Users spoofing other users Critical Impact * Open redirects and modifying user’s vital information Critical Impact * Injection of text High Impact * Redirecting users to malicious websites (open redirect) Medium Impact * Changing details of other users without direct financial impact (CSRF) Medium Impact * Third-Party API keys leakage that demonstrates loss of funds or modification on the website Medium Impact OUT OF SCOPE & RULES The following vulnerabilities are excluded from the rewards for this bug bounty program: * Attacks that the reporter has already exploited themselves, leading to damage * Attacks requiring access to leaked keys/credentials * Attacks requiring access to privileged addresses * Attacks requiring physical access to a user's device, social engineering, phishing, physical, or other fraud activities Smart Contracts and Blockchain * Incorrect data supplied by third party oracles * Not to exclude oracle manipulation/flash loan attacks * Lack of liquidity * Best practice critiques * Sybil attacks * Centralization risks Websites and Apps * Theoretical vulnerabilities without any proof or demonstration * Self-XSS * Captcha bypass using OCR * CSRF with no security impact (logout CSRF, change language, etc.) * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) * Server-side information disclosure such as IPs, server names, and most stack traces * Vulnerabilities used to enumerate or confirm the existence of users or tenants * Vulnerabilities requiring unlikely user actions * URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability) * Lack of SSL/TLS best practices * DDoS vulnerabilities * Attacks requiring privileged access from within the organization * Feature requests * Best practices * Vulnerabilities primarily caused by browser/plugin defects * Any vulnerability exploit requiring CSP bypass resulting from a browser bug The following activities are prohibited by this bug bounty program: * Any testing with mainnet or public testnet contracts; all testing should be done on private testnets * Any testing with pricing oracles or third party smart contracts * Attempting phishing or other social engineering attacks against our employees and/or customers * Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks) * Any denial of service attacks * Automated testing of services that generates significant amounts of traffic * Public disclosure of an unpatched vulnerability in an embargoed bounty HackersProjectsTerms of UseSafe Harbor AboutRulesPressBrand AssetsResearch BlogContactHelpPrivacyCareersEmployee Verification Hackers subscribed to our newsletter are more likely to earn a Bounty Prove it Twitter Discord Telegram Medium Youtube LinkedIn Copyright © Immunefi – Crypto bug bounty platform