immunefi.com Open in urlscan Pro
2606:4700:20::681a:9dd  Public Scan

URL: https://immunefi.com/bounty/zerion/
Submission: On March 02 via automatic, source links-suspicious — Scanned from DE

Form analysis 1 forms found in the DOM

<form>
  <div class="grid gap-4 rounded-md bg-gray-900 py-4 px-4 sm:grid-rows-2 lg:grid-cols-2 lg:grid-rows-none lg:gap-10 lg:px-4">
    <div>
      <p class="text-center text-base lg:text-left xl:text-lg">Hackers subscribed to our newsletter are <br class="hidden sm:inline-block"> more likely to earn a Bounty</p>
    </div>
    <div class="grid grid-cols-6">
      <div class="col-span-4 xl:col-span-5"><input class=" flex h-full w-full appearance-none rounded-sm border-none bg-black py-1 px-2 text-sm text-gray-400 outline-none sm:text-base " type="text" placeholder="Your email, please"
          aria-label="Full name" value=""></div><button class="
                                    col-span-2
                                    rounded-sm
                                    bg-teal-500
                                    p-2
                                    text-sm
                                    font-medium
                                    text-white
                                    sm:text-base
                                    xl:col-span-1
                                    bg-gradient-to-r from-gradientPurple to-gradientPink
                                    false
                                    hover:opacity-80
                                " type="submit">Prove it</button>
    </div>
  </div>
</form>

Text Content

Open menu
Close menu
How it works - WhitehatsLearnWhitehat leaderboardHow it works -
ProjectsBoostManaged TriageVaultsLoginExplore bounties
Projects
How it WorksHelp for ProjectsVaults
Whitehats
How it WorksHelp for WhitehatsLearnLeaderboardImmunefi Top 10 BugsWhitehat
AwardsWhitehat Hall of Fame
Managed TriageBoostLoginExplore bounties


ZERION

Submit a Bug
29 March 2022
Live since
Yes
KYC required
$25,000
Maximum bounty
29 December 2022
Last updated


PROGRAM OVERVIEW

At Zerion, we are on a mission to empower more people around the world with
efficient, transparent, and censorship-resistant financial services.

We do this by building applications, tools, and infrastructure enabling any
smartphone holder, anywhere in the world, to build and manage their
decentralized finance (DeFi) portfolios. The company was founded in 2016 by a
technical team of crypto-native builders who sought to change the way
centralized financial services work, primarily driven by experiencing the lack
of financial opportunity within their countries.

Zerion has grown to become one of the most popular DeFi interfaces in the world.
Since inception, Zerion has processed over $1 billion in transaction volume and
serves more than 200K monthly active users from over 150 countries.

Zerion gives customers access to more than 50,000 digital assets, 60 protocols &
all NFTs on the Ethereum blockchain through their app, which streamlines the UI
of DeFi. Users can access tokens and invest through the app similar to exchanges
like Coinbase or Gemini, but do so using their own personal wallets like
MetaMask, meaning user funds and private keys aren’t controlled by or accessible
to Zerion.

For more information about Zerion, please visit https://zerion.io/.

This bug bounty program is focused on their smart contracts, website and app and
is focused on preventing:

 * Loss of user funds
 * Leak of user data
 * Deletion of user data


REWARDS BY THREAT LEVEL

Rewards are distributed according to the impact of the vulnerability based on
the Immunefi Vulnerability Severity Classification System V2.2. This is a
simplified 5-level scale, with separate scales for websites/apps, smart
contracts, and blockchains/DLTs, focusing on the impact of the vulnerability
reported.

All web/app bug reports and Critical/High/Medium smart contract bug reports must
come with a PoC with an end-effect impacting an asset-in-scope in order to be
considered for a reward. Explanations and statements are not accepted as PoC and
code is required. In addition, all Critical/High/Medium bug reports must come
with a suggestion for a fix in order to be considered for a reward.

The following known issues are considered to be out of scope of this bounty
program:

 * All issues highlighted previously in the following audit report:
   * Peckshield Audit for DeFi SDK (August, 2020):
     https://drive.google.com/file/d/158GG-J681xAc4d8pMibpP_SFJikX4HPM/view?usp=sharing
   * Audit:
     https://github.com/zeriontech/defi-sdk/blob/interactive/audits/Zerion%20DeFi%20SDK%20Trail%20of%20Bits%20Audit%20Report.pdf
 * External apps having integrations with Zerion

Rewards for critical smart contract vulnerabilities are further capped at 10% of
economic damage, with the main consideration being the funds affected in
addition to PR and brand considerations, at the discretion of the team. However,
there is a minimum reward of USD 10 000 for Critical bug reports.

Critical website and application bug reports will be rewarded with the full USD
15 000 only if the impact leads to a direct loss in funds or a manipulation of
the votes or the voting result, as well as the modification of its display
leading to a misrepresentation of the result or vote. All other impacts that
would be classified as Critical would be rewarded no more than USD 10 000.

Zerion requires KYC to be done for all bug bounty hunters submitting a report
and wanting a reward. The information needed is email address, full name, and
country of residence.

Payouts are handled by the Zerion team directly and are denominated in USD.
However, payouts are done in USDC or DAI.

Smart Contract

CriticalLevel
Up to USD $25,000Payout
PoC Required
HighLevel
USD $7,500Payout
PoC Required
MediumLevel
USD $1,000Payout
PoC Required

Websites and Applications

CriticalLevel
Up to USD $15,000Payout
PoC Required
HighLevel
USD $7,500Payout
PoC Required
MediumLevel
USD $1,000Payout
PoC Required


ASSETS IN SCOPE

 * https://etherscan.io/address/0xB2BE281e8b11b47FeC825973fc8BB95332022A54
   Target
   Smart Contract - DEFI_SDK_ROUTER_ADDRESS
   Type
 * https://etherscan.io/address/0xd291328a6c202c5b18dcb24f279f69de1e065f70
   Target
   Smart Contract - DEFI_SDK_CORE_ADDRESS
   Type
 * https://etherscan.io/address/0x8B62C02091FE06AE3454D3c12921B32611Ba5501
   Target
   Smart Contract - AAVE_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x445830226347ef75867502e00e8D663842114F19
   Target
   Smart Contract - WETH_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xE1F28c0D8527eb28784bA15F6FF0A4371d7598E1
   Target
   Smart Contract - UNISWAP_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xE1F28c0D8527eb28784bA15F6FF0A4371d7598E1
   Target
   Smart Contract - UNISWAP_EXCHANGE_ADAPTER
   Type
 * https://etherscan.io/address/0x3b862d6f9ef92D3fF2142EC80A8968895B09127F
   Target
   Smart Contract - SUSHISWAP_EXCHANGE_ADAPTER
   Type
 * https://etherscan.io/address/0xb8d9Ee15858799f9205a8d119C5050540feED6A5
   Target
   Smart Contract - COMPOUND_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x77515760f30121Ea22D1cB9Fedcd5DD1BD8d3f15
   Target
   Smart Contract - AAVE_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x30EC4Ba79d951FA780b3B09158002854B6067847
   Target
   Smart Contract - AAVE_V2_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x1CeeA546AB6A3A3ee7Bc24cB1fac9e9Fe39a7368
   Target
   Smart Contract - CURVE_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x8Da0A907a1bdbB440D1fdb450672a8C003bc4f3A
   Target
   Smart Contract - CURVE_EXCHANGE_ADAPTER
   Type
 * https://etherscan.io/address/0xD893569CEf4AE3603bb7d688ca9d9C7111706cb3
   Target
   Smart Contract - BALANCER_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x6E02147cef2f078Da89f5913363C90420D934799
   Target
   Smart Contract - BALANCER_V2_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x3516CA4cB19ECcc401a9C0D13C7fDb6b73990979
   Target
   Smart Contract - YEARN_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xab1C497D853296881FE65BeD48861eFD6CeB74Ee
   Target
   Smart Contract - TOKEN_SET_REBALANCING_ADAPTER
   Type
 * https://etherscan.io/address/0x76Ee466c5957310cfB793AC21097FE5786665961
   Target
   Smart Contract - TOKEN_SET_NAV_ADAPTER
   Type
 * https://etherscan.io/address/0xAd748736E9436C8CB155a1F37c725C5a5170ba4A
   Target
   Smart Contract - TOKEN_SET_BASIC_ADAPTER
   Type
 * https://etherscan.io/address/0x0A1D55a66F89b683163FefC7AaCD83fECc9872B1
   Target
   Smart Contract - BALANCER_MULTIINPUT_ADAPTER
   Type
 * https://etherscan.io/address/0x2BcDedbEB99Fb3B9383Fd686faAbDb6172FC6503
   Target
   Smart Contract - ONE_INCH_EXCHANGE_V2_ADAPTER
   Type
 * https://etherscan.io/address/0xe6189b3Ad3Fb3fAa87A336F00c93ECd3ac25d80d
   Target
   Smart Contract - ONE_INCH_EXCHANGE_V3_ADAPTER
   Type
 * https://etherscan.io/address/0xD8f929FB13DAe09AAb49d812b8D0c80682d53696
   Target
   Smart Contract - ONE_INCH_LP_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xe8C49A47f4385cCb6C90F5Fb0c0Aedc7E6e79EB0
   Target
   Smart Contract - ZERO_EX_EXCHANGE_ADAPTER
   Type
 * https://etherscan.io/address/0xC9d30Ea2188eF0525b6328173FC9101539D2AA5A
   Target
   Smart Contract - DODO_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x278e57924Cd50cbE436586b35b8a1D5df9181165
   Target
   Smart Contract - DODO_V2_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xAA048b52c765222008072472c5C2c2D47C02b4f1
   Target
   Smart Contract - OUSD_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x31eb370a944213482B1B8990dC5A196d06b63F84
   Target
   Smart Contract - ALPHA_HOMORA_V2_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xe07C8e0f18083E66C65522Befc29887231ca3629
   Target
   Smart Contract - AMUN_BASKET_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x784d97c29Ef870eB5D94c90B146d86d829384FC6
   Target
   Smart Contract - AMUN_LENDING_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xc63e807bC6D65b84971b0A8CF8A673e551C9F85a
   Target
   Smart Contract - AMUN_LIQUIDITY_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0x288C14e3C6ECC8EeeCb5DDAb9a600591b7aD966E
   Target
   Smart Contract - ZERO_EX_ORDERS_V2_EXCHANGE_ADAPTER
   Type
 * https://etherscan.io/address/0x57551aba668a66d07Ffed72f4c09c2dA5223E4e4
   Target
   Smart Contract - G_UNI_ASSET_ADAPTER
   Type
 * https://etherscan.io/address/0xC65756160866FCB7644e9AaC6C4B5832Da3A1c4b
   Target
   Smart Contract - UNISWAP_V3_EXCHANGE_ADAPTER
   Type
 * https://play.google.com/store/apps/details?id=io.zerion.android&hl=en_US&gl=US
   Target
   Websites and Applications - Zerion Android App
   Type
 * https://apps.apple.com/us/app/zerion-crypto-defi-wallet/id1456732565
   Target
   Websites and Applications - Zerion Apple App
   Type
 * https://app.zerion.io/
   Target
   Websites and Applications
   Type

All smart contracts of Zerion can be found at
https://github.com/zeriontech/defi-sdk. However, only those in the Assets in
Scope table are considered as in-scope of the bug bounty program.


IMPACTS IN SCOPE

Only the following impacts are accepted within this bug bounty program. All
other impacts are not considered as in-scope, even if they affect something in
the assets in scope table.

SMART CONTRACT

 * Theft and/or permanent freezing of assets
   Critical
   Impact
 * Any logic manipulation
   Critical
   Impact
 * Temporary freezing of funds for at least 1 hour
   High
   Impact
 * Unable to call smart contract
   Medium
   Impact
 * Unbounded gas consumption
   Medium
   Impact
 * Theft of gas
   Medium
   Impact

WEBSITES AND APPLICATIONS

 * Leak of user data
   Critical
   Impact
 * Deletion of user data
   Critical
   Impact
 * Redirected funds by address modification
   Critical
   Impact
 * Site goes down
   Critical
   Impact
 * Accessing sensitive pages without authorization
   Critical
   Impact
 * Users spoofing other users
   Critical
   Impact
 * Open redirects and modifying user’s vital information
   Critical
   Impact
 * Injection of text
   High
   Impact
 * Redirecting users to malicious websites (open redirect)
   Medium
   Impact
 * Changing details of other users without direct financial impact (CSRF)
   Medium
   Impact
 * Third-Party API keys leakage that demonstrates loss of funds or modification
   on the website
   Medium
   Impact


OUT OF SCOPE & RULES

The following vulnerabilities are excluded from the rewards for this bug bounty
program:

 * Attacks that the reporter has already exploited themselves, leading to damage
 * Attacks requiring access to leaked keys/credentials
 * Attacks requiring access to privileged addresses
 * Attacks requiring physical access to a user's device, social engineering,
   phishing, physical, or other fraud activities

Smart Contracts and Blockchain

 * Incorrect data supplied by third party oracles
   * Not to exclude oracle manipulation/flash loan attacks
 * Lack of liquidity
 * Best practice critiques
 * Sybil attacks
 * Centralization risks

Websites and Apps

 * Theoretical vulnerabilities without any proof or demonstration
 * Self-XSS
 * Captcha bypass using OCR
 * CSRF with no security impact (logout CSRF, change language, etc.)
 * Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security
   flags (such as “httponly”)
 * Server-side information disclosure such as IPs, server names, and most stack
   traces
 * Vulnerabilities used to enumerate or confirm the existence of users or
   tenants
 * Vulnerabilities requiring unlikely user actions
 * URL Redirects (unless combined with another vulnerability to produce a more
   severe vulnerability)
 * Lack of SSL/TLS best practices
 * DDoS vulnerabilities
 * Attacks requiring privileged access from within the organization
 * Feature requests
 * Best practices
 * Vulnerabilities primarily caused by browser/plugin defects
 * Any vulnerability exploit requiring CSP bypass resulting from a browser bug

The following activities are prohibited by this bug bounty program:

 * Any testing with mainnet or public testnet contracts; all testing should be
   done on private testnets
 * Any testing with pricing oracles or third party smart contracts
 * Attempting phishing or other social engineering attacks against our employees
   and/or customers
 * Any testing with third party systems and applications (e.g. browser
   extensions) as well as websites (e.g. SSO providers, advertising networks)
 * Any denial of service attacks
 * Automated testing of services that generates significant amounts of traffic
 * Public disclosure of an unpatched vulnerability in an embargoed bounty

HackersProjectsTerms of UseSafe Harbor
AboutRulesPressBrand AssetsResearch
BlogContactHelpPrivacyCareersEmployee Verification

Hackers subscribed to our newsletter are
more likely to earn a Bounty


Prove it

Twitter

Discord

Telegram

Medium

Youtube

LinkedIn
Copyright © Immunefi – Crypto bug bounty platform