Beanstalk Notion
Beanstalk Notion
🐛

Add UI and SDK to Immunefi

Status
Blocked non-urgent
Assigned
guyaloceros

Beanstalk

image

Websites and Applications

gm, looking for 👍 on adding the UI and SDK to Immunefi with the following parameters, and/or to start some discussion around doing so:

Rewards by Threat Level

Critical:

  • $5,000 up to $30,000

High:

  • $1,000 up to $5,000

Rewards for Website and Applications vulnerabilities are scaled based on a set of internal criteria established by the BIC. However, there is a minimum reward of USD 1 000 for Website and Applications bug reports. The BIC will primarily take into account:

  • The exploitability of the bug;
  • The impact it causes; and
  • The likelihood of the vulnerability presenting itself.

Impacts in Scope

Critical:

  • Taking down the application/website
  • Direct theft of user funds
  • Ability to execute arbitrary system commands
  • Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions
  • Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance.

High:

  • Subdomain takeover
  • Redirecting users to malicious websites

Out of Scope (many of these are out of the box suggestions from Immunefi but I removed ones I felt were irrelevant)

  • Theoretical vulnerabilities without any proof or demonstration
  • Content spoofing / Text injection issues
  • Self-XSS
  • CSRF with no security impact (logout CSRF, change language, etc.)
  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
  • Server-side information disclosure such as IPs, server names, and most stack traces
  • Vulnerabilities requiring unlikely user actions
  • Lack of SSL/TLS best practices
  • DDoS vulnerabilities
  • Feature requests
  • Best practices issues without concrete impact and PoC
  • Vulnerabilities primarily caused by browser/plugin defects
  • Leakage of non sensitive API keys such as Etherscan, Infura, Alchemy, etc.
  • Any vulnerability exploit requiring CSP bypass resulting from a browser bug
  • Vulnerabilities that require compromise of the user’s machine / browser
  • Clickjacking vulnerabilities

Critical:

  • Taking Down the application/website

    • Critical

    Impact

  • Direct theft of user funds

    • Critical

    Impact

  • Ability to execute system commands

Medium

Redirecting users to malicious websites (Open Redirect)

MakerDAO

image

  • Taking Down the application/website

    • Critical

    Impact

  • Direct theft of user funds

    • Critical

    Impact

  • Execute arbitrary system commands

    • Critical

    Impact

  • Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)

    • Critical

    Impact

  • Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc.

    • Critical

    Impact

  • Subdomain takeover with already-connected wallet interaction

    • Critical

    Impact

  • Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions

    • Critical

    Impact

  • Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc.

    • High

    Impact

  • Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc.

    • High

    Impact

  • Improperly disclosing confidential user information such as email address, phone number, physical address, etc.

    • High

    Impact

  • Subdomain takeover without already-connected wallet interaction

    • High

    Impact

  • Redirecting users to malicious websites (Open Redirect)

    • Medium

    Impact

  • Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification

    • Medium

    Impact

  • Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data

    • Medium

    Impact

GMX

image

Hyperlane

image

MakerDAO

  • Taking Down the application/website

    • Critical

    Impact

  • Direct theft of user funds

    • Critical

    Impact

  • Execute arbitrary system commands

    • Critical

    Impact

  • Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)

    • Critical

    Impact

  • Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc.

    • Critical

    Impact

  • Subdomain takeover with already-connected wallet interaction

    • Critical

    Impact

  • Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions

    • Critical

    Impact

  • Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc.

    • High

    Impact

  • Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc.

    • High

    Impact

  • Improperly disclosing confidential user information such as email address, phone number, physical address, etc.

    • High

    Impact

  • Subdomain takeover without already-connected wallet interaction

    • High

    Impact

  • Redirecting users to malicious websites (Open Redirect)

    • Medium

    Impact

  • Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification

    • Medium

    Impact

  • Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data