CoinFLEX

Founded in 2019, CoinFLEX is the home of crypto yields. The platform offers innovative solutions such as flexUSD — the world’s first interest bearing stablecoin — and AMM+, the most capital–efficient automated market maker for today’s investors.

CoinFLEX is backed by crypto heavyweights including Roger Ver, Mike Komaransky, Polychain Capital, and Digital Currency Group, amongst others. The exchange is dedicated to providing an easily accessible venue for users to earn and trade crypto with minimal friction.

For more information about CoinFLEX please visit https://coinflex.com/.

The bug bounty program covers its smart contracts, website, and apps and is focused on the prevention of the negative impacts stated in the Impacts in Scope section.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into account the funds at risk. Other considerations such as PR and branding concerns may also be considered by the team at its discretion.

In order to be considered for a reward, all bug reports must include:

• URLs affected
• Description
• Impact
• Proof of concept (with screenshots or video if applicable)
• Mitigation/recommended fix

Payouts are handled by the CoinFLEX team directly and are denominated in USD. Payouts are done in USDT, FLEX, or BTC, at the discretion of the CoinFLEX team.

Only web/app vulnerabilities that directly affect the web/app assets listed in this table are accepted within the bug bounty program. All others are out-of-scope. No other website page other than those specifically listed are in-scope of the bug bounty program.

For flexUSD, bug reports involving key compromise are out-of-scope of this bug bounty program.

The links to the apps are only provided as a guide to acquire the app. The Google and Apple websites are not in-scope of the bug bounty program.

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contracts

• Loss of user funds staked (principal) by freezing or theft
• Loss of user funds via incorrect trades, swaps, or other contact operations
• Loss of governance funds
• Theft of unclaimed yield
• Freezing of unclaimed yield
• Temporary freezing of funds for any amount of time
• Unable to call smart contract
• Smart contract gas drainage
• Smart contract fails to deliver promised returns
• Vote manipulation
• Incorrect polling actions
• Exposure of private keys or any other sensitive secrets

Web/App

• Site going down / service unavailability
• Leak of user data
• Deletion or modification of user data
• Triggering incorrect balance updates
• Redirecting funds by address modification
• Accessing sensitive pages without authorization
• Injection of text
• Users spoofing other users
• Shell access on server

API/Websockets

• Unauthorized access
• SQL Injection
• Chaining
• Incorrect methods allowed
• Unexpected behaviour leading to a bug
• Site going down / service unavailability
• Leak of user data
• Deletion or modification of user data
• Triggering incorrect balance updates
• Redirecting funds by address modification
• Accessing sensitive pages without authorization

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

• Re-entrancy
• Logic errors
  • including user authentication errors
• Solidity/EVM details not considered
  • including integer over-/under-flow
  • including rounding errors
  • including unhandled exceptions
• Trusting trust/dependency vulnerabilities
  • including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
  • including flash loan attacks
• Congestion and scalability
  • including running out of gas
  • including block stuffing
  • including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces

Websites and Apps

• Cross Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Brute force
• SQL Injection (SQLi)
• Insecure storage
• Insecure deserialization
• XML external entities (XXE)
• Authentication related issues
• Authorization related issues
• Data Exposure
• Redirection attacks
• Remote Code Execution
• Business Logic
• Particularly clever vulnerabilities or unique issues that do not fall into explicit categories
• Mobile-specific API vulnerabilities

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

Websites and Apps

• Cookie expiration
• Cookie migration/sharing
• Forgot password
• Autologin token reuse
• Same Site Scripting
• Social Engineering
• Phishing
• Resource Exhaustion attacks
• Denial of service attacks (DDoS)
• Issues related to rate limiting
• Services listening on port 80
• Static content over HTTP
• Internal IP address disclosure
• Issues related to cross-domain policies without evidence of an exploitable vulnerability
• Weak password policies
• Vulnerabilities impacting only old/end-of-life browsers/plugins including:
• Issues that have had a patch available from the vendor for at least 6 months
• Issues on software that is no longer maintained (announced as unsupported/end-of-life or no patches issued in at least 6 months)
• Vulnerabilities related to offline playback
• Vulnerabilities primarily caused by browser/plugin defects and not representative of defects in the security of CoinFLEX systems or software (e.g. UXSS)
• Reports relating to root certificates
• Vulnerability reports related to the reported version numbers of web servers, services, or frameworks
• Vulnerability reports relating to exposure of non critical files. E.G. robots.txt, sitemap.xml, .gitignore
• Vulnerability reports relating to sites or network devices not owned by CoinFLEX
• Vulnerability reports that require a large amount of user cooperation to perform, unlikely or unreasonable actions which would be more symptomatic of a social engineering or phishing attack and not an application vulnerability (e.g. disabling browser security features, sending the attacker critical information to complete the attack, guiding the user through a particular flow and requiring them to enter malicious code themselves, etc.)

All bug bounty hunters are required to adhere to the following rules:

• Do not access customer or employee personal information, pre-release CoinFLEX content, or confidential information. If you accidentally access any of these, please stop testing and submit the vulnerability.

• Stop testing and report the issue immediately if you gain access to any non-public application or non-public credentials.

• Do not degrade the CoinFLEX user experience, disrupt production systems, or destroy data during security testing.

• Perform research only within the scope and, for smart contracts, only on private testnets.

• Submit any necessary screenshots, screen captures, network requests, reproduction steps or similar.

• When investigating a vulnerability, please only target your own account and do not attempt to access data from anyone else’s account.

• Securely delete CoinFLEX information that may have been downloaded, cached, or otherwise stored on the systems used to perform the research.