We are starting a bug bounty program for Eximchain token smart contracts. Discovery of major bugs will be rewarded up to $10,000 in BTC. Very severe vulnerabilities will be rewarded up to $20,000 in BTC.

Most of the rules found on https://bounty.ethereum.org also apply to the Eximchain bounty program:

First come, first serve Issues that have already been submitted by another user, or are already known to the Eximchain team, are not eligible for bounty rewards Public disclosure of a bug or vulnerability makes it ineligible for a bounty reward Paid auditors of this code are not eligible for bounty rewards Determinations of eligibility, score and all terms related to bounty reward are at the sole and final discretion of the Eximchain team

Scope:

The following files are in the scope of this bounty program:

EximchainToken.sol

EximchainTokenConfig.sol



ERC20Interface.sol

ERC20Token.sol

Finalizable.sol

FinalizableToken.sol

Math.sol

MathTest.sol

OpsManaged.sol

Owned.sol

Functional Specification:

Should deploy a token with the proper configuration

Should allocate tokens per the minting function, and validate balances

Should transfer tokens from

Should not transfer negative token amounts

Should not transfer more tokens than you have

Should not allow address to transfer more tokens than authorized from

Should allow funds transfers back to the owner, before the token is finalized

Should not allow any user <-> user funds transfers before finalization

Should allow the ops address to be set properly by the owner

Should allow tokens to be burned at any time, even before finalization

Should only be able to be finalized once

Should allow tokens to be burned at any time

Should allow the contract to be initialized by a proper token

Should allow the wallet address to be changed by the owner, or the operator

Should allow the owner to configure the contract

Should allow the contracts to be suspended and resumed

Should allow the owner and operators to setup whitelists via updateWhitelist and updateWhitelistBatch

Should not allow purchase until minimum requirements are met, including that the sender and receiver are whitelisted

Should cleanly handle token reclaim

Timeline:

As of this announcement, the Eximchain Bug Bounty Program has already started and valid bug reports will be compensated. After the token launch, the bounty program will only cover the functionality that is relevant to the ERC20 token specification. The bug bounty runs from February 23rd 10am EST until February 28th 10am EST ( 5 days)

Compensation:

The value of bounty rewards will vary depending upon severity. The severity of a bug or vulnerability is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:

Bounty Reward Structure:

Note: Up to $100 in BTC (Lowest Impact, Lowest Likelihood)

Low: Up to $2,000 in BTC

Medium: Up to $5,000 in BTC

High: Up to $10,000 in BTC

Critical: Up to $20,000 in BTC (Highest Impact, Highest Likelihood)

Example: If you found a way to steal the funds raised from the token, the bug will be considered a critical bug. If you found a way to mint EXC, this will be regarded as bug with high severity.

The quality of a submission will also affect the amount of compensation. A high quality submission would consist of:

An explanation of how the bug can be reproduced A failing test case A fix that makes the test case pass

High quality submissions may be awarded compensation amounts higher than the amounts specified above.

We request that you please give us a reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.

Contact:

We encourage submissions of bug reports as issues in the Github repository. If you are already a member of our Telegram Group https://t.me/eximchain, it is also possible to contact us there.

You may also direct your submissions to juan@eximchain.com. We also welcome anonymous submissions.