Bringing selective transparency to Ethereum. Using zero-knowledge proofs, DOP allows you to decide what crypto assets and transactions you wish to make public.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://etherscan.io/address/0x97A9a15168C22B3C137E6381037E1499C8ad0978Token |
Code | Critical | Bounty |
https://etherscan.io/address/0x9A3152b61420ed4D5e594c0b48bB932eE41B7376Protocol |
Code | Critical | Bounty |
https://etherscan.io/address/0x953be9C1ADb9c651bBEC52E614c06EEe7FF9AA27Staking V1 |
Code | Critical | Bounty |
IN SCOPE
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
PoC Required for payouts
Out of Scope & Rules
The following are not within the scope of the Program:
- Bugs in any third-party contract or platform that interacts with Data Ownership Protocol.
- Vulnerabilities already reported and/or discovered in contracts built by third parties on Data Ownership Protocol. We reserve the right to keep private previous bug disclosures.
- Any previously reported bugs.
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage.
- Attacks requiring access to leaked keys/credentials.
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third-party oracles (Note that oracle manipulation and flash loan attacks are included in the bounty)
- Basic economic governance attacks (e.g. 51% attack)
- Best practice critiques
- Feature requests
- Sybil attacks
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Bugs in any third-party contract or platform that interacts with the Data Ownership Protocol (Note that oracle manipulation and flash loan attacks are included in the bounty)
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets or private mainnet forks
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against contributors and/or customers
- Any testing with third-party systems and applications (e.g., browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial-of-service attacks
- Automated testing of services that generate significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- In case that your findings is valid you will be asked for KYC verification to proceed with payments
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
To be eligible for a reward under this Program, you must:
- Discover a previously unreported, non-public vulnerability in the Data Ownership Protocol (but not on any third-party platform interacting with Data Ownership Protocol) that is within the scope of this Program. Vulnerabilities must be distinct from issues covered in any of the official security audits.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements above. If similar vulnerabilities are reported within the same 24-hour period, rewards will be split at the discretion of the Data Ownership Protocol.
- Provide sufficient information to enable contributors to reproduce and fix the vulnerability.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (apart from a reward under this Program).
- Make a good faith effort to avoid privacy violations, destruction of data, interruption, or degradation of the Data Ownership Protocol.
- Submit only one vulnerability per submission, unless you need to chain vulnerabilities to provide impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this program.
- Not be a current or former vendor, contractor or subcontractor to the Data Ownership Ltd
- Not be subject to US or sanctions or reside in OFAC restricted countries.
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
Data Ownership Protocol adheres to the Primacy of Impact for the following severity levels:
- Smart Contract - Critical
- Smart Contract - High
- Smart Contract - Medium
- Smart Contract - Low
If a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder.
Rewards are distributed according to the impact of the vulnerability based on HackenProof Vulnerability Severity Classification System: https://docs.hackenproof.com/bug-bounty/vulnerability-classification/smart-contracts
Smart Contract
Impact - Severity
Direct theft of user or protocol funds other than unclaimed yield - Critical
Protocol Insolvency - Critical
Permanent freezing of funds - Critical
Theft of unclaimed yield - High
Permanent freezing of unclaimed yield - High
Temporary freezing of funds - High
Smart contract unable to operate due to lack of token funds - Medium
Block stuffing for profit - Medium
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) - Medium
Theft of gas - Medium
Contract fails to deliver promised returns, but doesn't lose value - Low
Reward Calculation for Critical Level Reports
Critical smart contract vulnerabilities are further capped at 10% of economic damage, which primarily considers the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.
High smart contract vulnerabilities are further capped at 10% of economic damage, which primarily considers the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.
Repeatable Attack Limitations
In cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.
Restrictions on Security Researcher Eligibility
Security researchers who fall under any of the following are ineligible for a reward
Residents or citizens of OFAC restricted countries, as well as citizens or residents individually listed on the EU sanctions map
Members of a household, related to or next of kin of a compensated core team members of the Data Ownership Ltd.
By submitting your report, you grant the Data Ownership Ltd any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at the sole discretion of the Data Ownership Ltd. The terms and conditions of the Data Ownership Protocol Bug Bounty Program may be altered at any time. The above scope, terms, and rewards of the program are at the sole discretion of the Data Ownership Ltd.