Bug Bounty
Armor Smart Contract Bug Bounty Program
As a rapidly evolving protocol, our suite of wallet services encompasses numerous applications spanning across the Armor Wallet, Armor Game Connect, Armor AI Agents, Token Contracts, and other on-chain solutions. The security and stability of our entire ecosystem is paramount. That's why we're inviting our community to assist in identifying and rectifying any vulnerabilities across our platform.
For transparency and insights into our previous security evaluations, our audit reports can be accessed below โคต๏ธ
Here are the details of the bug bounty program:
Scope
The bug bounty program encompasses all Armor smart contracts, from our Wallet and Token Contracts, as well as their associated APIs. While the frontend platform is not within the program's purview, it serves as an interface to interact with the products under scrutiny.
Rewards
Rewards will be gauged based on the severity of the bug and the quality of the report. Severity determination will employ the CVSS (Common Vulnerability Scoring System).
Eligibility
The bug bounty program is open to anyone with access to the protocol, contingent on adherence to our terms and conditions.
Submissions
Spot a bug? Please reach out to us at info@armorwallet.ai detailing the issue and the requisite steps to reproduce it.
Responsible Disclosure
Participants are urged to practice responsible disclosure, ensuring we are granted a reasonable window to address the issue before public announcement.
Eligible Bugs
Potential vulnerabilities of interest for this program include, but are not limited to:
Unauthorized Access: Vulnerabilities that allow attackers to gain unauthorized access or control over any component of the system.
Fund Theft: Smart contract vulnerabilities enabling unauthorized withdrawal or redirection of funds.
Token Manipulation: Vulnerabilities allowing unauthorized minting, burning, or altering token balances in token contracts.
Interest Rate Tampering: Vulnerabilities enabling the manipulation of interest rates in lending and borrowing contracts outside of defined parameters.
Oracle Manipulation: Vulnerabilities allowing attackers to feed false data or take control of the oracles used by smart contracts.
Unauthorized Loan Creation: Vulnerabilities enabling the creation of loans with arbitrary amounts, interest rates, or without proper collateral.
Loan Liquidation: Vulnerabilities allowing unauthorized or premature liquidation of loans.
Collateral Issues: Vulnerabilities allowing the alteration of collateral requirements, creating fake collateral, or bypassing collateral checks.
Double-Spend Attack: Vulnerabilities enabling the same assets to be spent more than once.
Reentrancy Attacks: Vulnerabilities where external contract calls can be hijacked to re-enter the calling contract at the same point.
Frozen Funds: Vulnerabilities that allow funds or tokens to be unintentionally locked or frozen within contracts.
Underflow/Overflow Issues: Vulnerabilities where numeric operations in smart contracts result in underflow or overflow, leading to unintended behavior.
Access Control Bypass: Vulnerabilities allowing attackers to circumvent any permissioned operations or restrictions.
Flash Loan Attacks: Vulnerabilities susceptible to uncollateralized loan attacks which can manipulate market prices or other critical parameters.
Delegate Attacks: Vulnerabilities related to wrongly delegated permissions, especially in token contracts and governance modules.
Gas Limit or State Growth Issues: Vulnerabilities leading to operations that consume an inordinate amount of gas or inflate the contract's state excessively.
Economic Attacks: Vulnerabilities where an attacker can drain funds or resources through economic manipulations or game theoretical weaknesses.
Improper Balance Checks: Vulnerabilities where smart contracts do not properly check or update balance states after operations.
Excluded Bugs
The bug bounty program expressly excludes:
Previously reported issues.
Publicly disclosed issues.
Issues stemming from the blockchain network or any third-party systems.
Social engineering tactics.
Physical infractions.
Denial of Service (DoS) onslaughts.
Rewards
The value we place on feedback is immense. However, rewards are reserved for bugs of the following criticality:
Medium
Issues with limited security impact, potentially affecting information dissemination or minimal funds. 10,000 $ARMR tokens
High
Issues threatening severe security compromises, such as fund losses in a singular pool or overall protocol liquidity blockage. 150,000 $ARMR tokens plus select Armor merchandise
Critical
Issues potentially culminating in an overarching system breach, risking a majority (>90%) of funds across one or more pools. 500,000 $ARMR tokens along with Armor merchandise of your choice
Prohibited behaviour:
Misrepresenting assets in scope: claiming that a bug report impacts/targets an asset in scope when it does not
Misrepresenting severity: claiming that a bug report is critical when it clearly is not
Automated testing of services that generate significant amounts of traffic
Advertising or promotion of services
Attacks based on personal characteristics
Extortion/blackmail or threats of extortion/blackmail
Underreporting vulnerabilities
Misrepresenting vulnerabilities
Publicly disclosing a bug report--or even the existence of a bug report for a specific project--before it has been fixed and paid
Publicly disclosing a bug report before 30 days have elapsed since the project closed the report as being out of scope or not requiring a fix
Publicly disclosing a bug report deemed to be a duplicate or well-known to the project
Placeholder bug submissions, i.e., bugs that have a vague title, very few details, and no reproducible steps
Submitting AI-generated/automated scanner bug reports
Our commitment to user safety and platform integrity remains unwavering.
Thank you for helping us make Armor Wallet a stronger and safer ecosystem.
Last updated