Overview
We are starting a bug bounty program for savedroid token sale smart contracts. This bounty program is not for the savedroid exchange contracts.
Our token sale smart contracts have already been audited by Sebastian Hoffmann (Capgemini). Read his review here.
The contracts are available here.
Major bugs found will be rewarded up to 10,000 € (in SVD). Higher rewards are possible (up to 20,000 € in SVD), in the case of very severe vulnerabilities.
Most of the rules on https://bounty.ethereum.org apply to our bounty program:
- First come, first serve
- Issues that have already been submitted by another user or are already known to the savedroid team are not eligible for bounty rewards
- Public disclosure of a vulnerability makes it ineligible for a bounty
- Paid auditor(s) of this code is(are) not eligible for rewards
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the savedroid team
Scope
The following files are in scope:
SvdToken.sol 0xbdEB4b83251Fb146687fa19D1C660F99411eefe3
Functional specification
- For investments equal to or above a given value, the token sale is only valid for approved whitelist members.
- Investments can only be done between a startTime and endTime.
- The Crowdsale can be paused by savedroid.
- Every investment has a minimum (floor) and maximum amount (cap) for the amount of Ether that can be contributed.
- The token sale is bounded by a hard cap, in the form of maximum amount of tokens to be sold. This hard cap will not be enforced programmatically.
- Tokens are only tradeable and transferable after the sale ends and the token minting and distribution process has finished.
Timeline
As of this post, the bug bounty program has already started and valid bug reports will be compensated. After the token launch, the program will only cover the functionality that is relevant to the ERC20 token specification.
Compensation
The value of rewards will vary depending on Severity. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
- Note: Up to 100 € in SVD
- Low: Up to 2,000 € in SVD
- Medium: Up to 5,000 € in SVD
- High: Up to 10,000 € in SVD
- Critical: Up to 20,000 € in SVD
Example: If you found a way to steal the funds raised from the token sale, the bug will be considered a critical bug. If you found a way to mint SVD, it is will be regarded as bug with high severity.
The quality of submission will also affect the compensation. A high quality submission would consist of:
- An explanation of how the bug can be reproduced
- A failing test case
- A fix that makes the test case pass.
High quality submissions may be awarded amounts higher than the amounts specified above.
We request that you please give us a reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.
Contact
We encourage submissions of bug reports as issues in the Github repository. If you are already a member of our Telegram group, it is also possible to contact us there.
You may also direct your submissions to [email protected]. We also welcome anonymous submissions.
The savedroid token sale ends on March 9th, 2018. Find out more on our website and sign up for the newsletter, so that you don’t miss any important news — https://ico.savedroid.com
►WHITEPAPER: https://ico.savedroid.com/savedroid-ico-whitepaper.pdf
►EMAIL: [email protected]
►MORE INFORMATION: https://ico.savedroid.com
►BECOME A FACEBOOK FAN: https://www.facebook.com/savedroid/
►TWITTER: https://twitter.com/savedroidAG
►INSTAGRAM: https://www.instagram.com/savedroid/
►TELEGRAM: https://t.me/savedroid
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://medium.com/@ico_8796/savedroid-token-sale-bug-bounty-6750bac362cb
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit