Cronos zkEVM Smart Contracts: Program Info

All bug reports must come with a Proof-of-Concept (PoC) in order to be considered for a reward. For web/app bug reports, if the Report does not include a valid (PoC), the qualification of rewards will be decided according to reproducibility and severity of the vulnerability, and the rewards amount may be reduced significantly. The specific amount of the bounty will vary according to:

• The potential for abuse of the bug
• The detection complexity of an exploit of the bug
• The impact of the bug.
• Whether or not the person who reports the bug suggests a solution to the bug or helps in its resolution.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily focused on the funds at risk, but also taking into account branding and PR considerations, at the discretion of the team.

All vulnerabilities that directly affect the smart contract, and app that directly cause unintentional withdrawals, draining of funds, or loss of user funds, are prioritized. Meaning, the team may choose to apply a temporary fix to the bug (or pause the contract) before resolving the bug report. This to ensure that the affected funds are safe while the team analyse the bug report, and NOT a confirmation of the bug report’s validity.

The only web vulnerabilities in scope are those which will directly lead to loss of user funds, or breach of sensitive data, or deletion of site data. For web vulnerabilities, the Cronos team will use CVSS calculator to figure out the severity and based on that they will determine the reward for the bounty.

Cronos team requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Once the report is deemed valid, you will need to fill up the KYC form here. The collection of this information will be done by the Cronos team.

Payouts are handled by Cronos team and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.

Guidelines for Critical

For a bug report to be considered for the Critical category under our bug bounty program, a valid Proof of Concept (PoC) will be needed. Please adhere to the following conditions and guidelines:

• Proof of Concept (PoC): Any report considered must include a comprehensive and valid PoC. This should include every step required to perform the attack, including any necessary staging or pre-work.
• Financial Limit: The maximum monetary value, unrelated to flash-loans, involved in the PoC should not exceed $300. This amount is assumed to cover gas expenses and is sufficient for executing the attack.
• Impersonation Restriction: The impersonation of wallets or contracts having considerable funds in the PoC is strictly forbidden.
• Specific Details: To avoid ambiguity, the exact block number utilized in the PoC must be explicitly specified.
• Staging and Transaction: Staging activities, such as creating a smart contract for the attack, is permissible. However, the actual exploit must occur within one transaction. The relevance and necessity of staging as part of the attack will ultimately be determined by the project team.
• Execution Certainty: Hypotheses that can’t be unequivocally executed, like phishing attacks aimed at obtaining private keys, are exempt from consideration.

• Damage Calculation: The potential economic damage caused by the attack in the PoC will be computed as follows:

  • Damage is gauged based on the net positive value post-attack.
  • This value is derived after deducting any initial capital or flash loans.
  • Non directly quantifiable consequences, such as immediate price drops or rewards dilution, will not be considered when calculating the potential damage scope.

There is also a discretionary bonus of up to $50,000. This is reserved for particularly ingenious findings that exemplify exceptional creativity or unveil significant potential impact on the project.

However, it’s crucial to understand that the award of this bonus is purely under the sole discretion of our project team and thus, may not be available for every qualifying submission. The bonus should not be regarded as a guaranteed reward, but rather a special recognition for exceptional findings.

Cronos team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.