Updates: This bug bounty was created for the first mainnet deployment. We are still running on-going bug bounty campaigns for various code base that we have. Please check on the corresponding github repository for the scope of the bug bounty and corresponding rewards for reported valid bugs.

Overview

Our exchange is about to go live on mainnet soon and we are starting a bug bounty program for the exchange smart contracts and exchange wallet web application.

Our smart contracts are available here . Our wallet application is available here. (Note the relevant branches are bug_bounty in both repositories)

Major bugs find will be rewarded up to $20,000 (in KNC). Higher rewards are possible (up to $50,000 in KNC) in case of very severe vulnerabilities.

Most of the rules on https://bounty.ethereum.org apply in our bounty program:

First come, first serve

Issues that have already been submitted by another user or are already known to the Kyber Network team are not eligible for bounty rewards

Public disclosure of a vulnerability makes it ineligible for a bounty

Paid auditor(s) of this code is(are) not eligible for rewards

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Kyber Network team

Scope

Smart contracts

The scope of the smart contracts bug bounty is limited to the files in the contract directory in the bug_bounty branch excluding mockContracts and abi directories. Moreover, the current scope of the bug bounty covers only bugs that either:

Put user funds at risk (excluding gas fees); or Give unauthorized accounts (i.e., accounts that are neither operator nor admin) the option to steal reserve funds.

An overview of the contract functionality is available here.

We formally define user lost of user funds as an exchange operation in which user received effective worse conversion rate than the one he or she specified. Assuming the given minimal conversion rate was give in 10¹⁸ resolution. I.e., 1:2.3 conversion rate is given as 23*10¹⁷ (more details are given here). Rounding errors of only few token wei are neglected for the purpose of this bug bounty.

Severity

User funds

Bugs that can cause user to loose funds which cannot be recovered by Kyber Network and/or Kyber reserve are of critical severity.

Bugs that cause user to loose funds under the assumption that reserve manager could be dishonest and even malicious are of high severity.

Bugs that cause user to loose funds in an ETH to token (or vice versa) conversion when calling trade function in KyberNetwork.sol even under the assumption that network admin is malicious and without any assumptions of the code outside KyberNetwork.sol , but provided the corresponding ERC20 token code is trusted are of medium severity.

function in even under the assumption that network admin is malicious and without any assumptions of the code outside , but provided the corresponding ERC20 token code is trusted are of medium severity. Bugs that may cause lose of user funds due to any existing reputable (OK rank in etherscan.io) ERC20 token code are of low severity.

Reserve

Bugs that allow stealing unbounded amount of funds from reserve within a single transaction are of critical severity.

Bugs that allow stealing funds from reserve with an unauthorized account are of high severity.

Bugs that allow network admin to steal reserve funds are currently of low severity.

Examples for bugs which are still not covered in the program are denial of service bugs which prevent Kyber Network or Kyber Reserve from providing an exchange service.

Wallet web application

The scope of the bug bounty cover all the files in KyberWallet repository in bug_bounty branch. Currently the program covers bugs that cause users to lose funds or bugs that prevent users from using the exchange service (e.g., a button that does not work upon clicking).

Severity

Bugs that are causing user to send funds to wrong address are of critical severity.

Bugs that may cause invalid encoding of contract call parameters are of high severity.

Bugs that may yield wrong setting of minimal conversion rate are of medium severity.

Bugs that can make the website irresponsive are either of medium, low or note severity, depending if user can recover from them or not.

An example to a bug that is not yet covered by the program is a bug that may cause to wrong display of recent transactions in the exchange.

Compensation

The value of rewards will vary depending on Severity. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:

Note: Up to $100 in KNC

Low: Up to $2,000 in KNC

Medium: Up to $5,000 in KNC

High: Up to $10,000 in KNC

Critical: Up to $20,000 in KNC and in very special cases up to $50,000 in KNC.

The quality of submission will also affect the compensation. A high quality submission would consist of:

An explanation of how the bug can be reproduced

A failing test case

A fix that makes the test case pass.

High quality submissions may be awarded amounts higher than the amounts specified above.

We request that you please give us reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.

Contact

We encourage submissions of bug reports as issues in the Github repository. You may also direct your submissions to [email protected]. We also welcome anonymous submissions.