arnaud-deblander.jpeg
Arnaud Deblander
Apr 7, 2022 4:30 PM

SuperBots is expanding, and to make sure it’s on the strongest possible foundation, we need to make sure everything is perfect. Our security is already on point, but you never know, right?

That’s why Superbots is launching a Bug Bounty program! You are a security expert and want to help us make the platform even more secure? Or do you know someone who might be interested? Come and claim your rewards!

What is Superbots?

Simply put, Superbots is the decentralized version of its sister company, Upbots. But Superbots is much more than that, it’s also staking, it’s also NFTs and for an expansion to be healthy, you have to make sure it’s secure.

More precisely, SuperBots offers decentralized trading solutions via a “vault” in which users can deposit their capital and which will be traded on a decentralized market in a secure manner. SuperBots offers a multitude of Vaults trading on DEX and following precise trading strategies to get the most out of its capital.

The vaults are based on performance fees which are then distributed to the staking pool, to the developer of the algorithm, and to a lesser extent to SuperBots. SuperBots currently offers 8 bots and much more will come.

The Bug Bounty program

The rewards will be based on the classification system of our partner Immunefi, which is a simplified 5-level scale that ranges from “none” to “critical”. More specifically, the bounty hunt will focus on “High” or “Critical” impact.

The rewards will be classified as follows:

Smart Contract

  • Critical:

     

    USD 8000

  • High:

     

    USD 4000

Websites and applications

  • Critical:

     

    USD 1500

  • High:

     

    USD 1000

The Impact on the scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.

Smart Contracts/Blockchain

Critical

  • Direct theft of any user funds, whether at rest or in-motion, other than unclaimed yield

  • Permanent freezing of funds

High

  • Temporary freezing of funds for at least 1 day

  • Manipulation of tokens representing shares

Web/App

Critical

  • Ability to execute system commands

  • Extract Sensitive data/files from the server such as /etc/passwd

  • Signing transactions for other users

  • Redirection of user deposits and withdrawals

  • Subdomain takeover resulting in the financial loss (applicable for subdomains with addresses published)

  • Wallet interaction modification resulting in financial loss

  • Direct theft of user funds

  • Tampering with transactions submitted to the user’s wallet

  • Submitting malicious transactions to an already-connected wallet

High

  • Spoofing content on the target application (Persistent)

  • Subdomain Takeover without a financial loss (applicable for subdomains with no addresses published)

  • Privilege escalation to access unauthorized functionalities

Bounty Program Closure

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. In addition, all bug reports must come with a suggestion for a fix to be considered for a reward.

Prior to the official launch of SuperBots, this bug bounty program will also have a hard cap of USD 25 000. In the event that multiple bug reports are submitted that exceed this amount, the rewards will be provided on a first-come first-served basis. This program will be taken down once all USD 25 000 of rewards have been paid out.

You can check more details here: https://immunefi.com/bounty/superbots/