TONBanking SC Bounty Program 💎🧠

Introducing the Smart Contracts (SC) Bounty Program

TONBanking Smart Contracts (SC) Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure. We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.

Step-by-step mechanics for SC bounty participants:

1. Research the scope of the SC bounty program. Before starting the reading smart contracts, carefully read the scope of the SC bounty program to understand what areas are in scope and what vulnerabilities are eligible for rewards.
2. Find a vulnerability. Please use ethical hacking techniques to find a vulnerability within the scope of the SC bounty program.
3. Document the vulnerability. Once a vulnerability is found, document the details of the vulnerability, including steps to reproduce it, the impact of the vulnerability, and any other relevant information.
4. Submit the vulnerability report through the Bot bug form. Include the documented details of the vulnerability, your contact information, and any additional information that may be helpful. Visual evidence (screenshots or video) is required.
5. Wait for a response. After submitting the vulnerability report, wait for a response from the TONBanking tech team. The response may include additional questions or requests for more information.
6. Provide any additional information or assistance needed to validate the vulnerability.
7. Receive the reward. If the vulnerability is validated and accepted, TONBanking will provide a reward after the launch of the project based on the severity of the vulnerability. A reward will be given to the person who finds the first bug. 
8. Keep the vulnerability confidential until the TONBanking confirms it and releases a patch. Public disclosure of vulnerabilities before confirmation and patch release may disqualify participants from the SC bounty program and may have legal implications.

Rules of Engagement

To help us distinguish between good-faith hacking and malicious attacks, you must follow these rules:

• You are authorized to perform testing in compliance with this policy.
• Follow this policy and any other relevant agreements. In case of inconsistency, this policy takes precedence.
• Promptly report discovered vulnerabilities.
• Refrain from violating privacy, disrupting systems, destroying data, or harming user experience.
• Use TONBanking Private chat for vulnerability-related communication.
• Keep vulnerability details confidential until authorized for release by TONBanking tech team, which aims to provide authorization within 60 days of report receipt.
• Test only in-scope systems and respect out-of-scope systems.
• Do not access, modify, or use data belonging to others, including confidential TONBanking data. If a vulnerability exposes such data, stop testing, submit a report immediately, and delete all copies of the information.
• Interact only with your own accounts, unless authorized by TONBanking.

The testing procedure

The testing procedure for the TONBanking Smart Contracts Bounty Program involves a comprehensive review of smart contracts hosted on GitHub in the mainnet.

Testers are expected to thoroughly examine the codebase to identify potential vulnerabilities and security flaws. 

1. Registration. Participants interested in joining the bounty program must register through a TONBanking Core chat in Telegram.
2. Access to Smart Contracts in Gitlab. Participants gain access to the list of smart contracts available for testing.
3. Contract Selection. Participants select the smart contract(s) they wish to test from the available list. They can choose based on personal interest, expertise, or other preferences.
4. Code Review. Participants perform a thorough review of the selected smart contract's codebase. They analyze the code line by line to identify potential vulnerabilities, security flaws, or other issues. The review process includes examining the contract's logic, dependencies, external calls, input validation, and any other relevant aspects.
5. Vulnerability Identification. During the code review, participants document any vulnerabilities or weaknesses they discover. They should provide detailed explanations of each issue, including steps to reproduce, potential impact, and suggested mitigation strategies. Clear and concise reporting is crucial for effective communication with the program organizers.
6. Reporting and Submission. Participants submit their findings and reports through the Bot bug form via TONBanking bot. They may be required to use a specific format or template for consistency. The submission should include all relevant information about the vulnerabilities found and any supporting documentation.
7. Evaluation and Validation. The program organizers review the submissions and evaluate the reported vulnerabilities. They validate the findings by reproducing the reported issues and assessing their severity and impact. This step ensures the accuracy and legitimacy of the identified vulnerabilities.
8. Rewards and Recognition. Once the evaluations are complete, rewards are determined based on the severity, impact, and novelty of the reported vulnerabilities. Participants whose findings are confirmed as valid and significant receive rewards as per the predetermined reward structure communicated by the program organizers. Exceptional contributions may also receive special recognition or additional rewards.
9. Remediation and Communication. The program organizers promptly notify the responsible parties, such as smart contract developers or project owners, about the identified vulnerabilities. Effective communication channels are established to facilitate the remediation process, ensuring that the issues are addressed and resolved promptly.
10. Program Feedback and Iteration. Participants may have the opportunity to provide feedback on their experience with the bounty program. This feedback helps organizers refine the program mechanics, address any concerns or areas of improvement, and plan for future iterations of the program.

By following this testing procedure, testers can identify any issues or areas of improvement in the TONBanking platform before it is launched to the public. This process helps ensure a positive user experience and a reliable platform for both users and merchants.

Duration

2 weeks

Scope and rewards

Total prize pool: $10,000

Levels of severity

There are several levels of bugs severity

• Low Severity: Bugs that do not pose a significant security risk.
  Bounty range: $50 (TONB equivalent)
• Medium Severity: Bugs that have a moderate impact on security.
  Bounty range: $50-$500 (TONB equivalent)
• High Severity: Bugs that have a critical impact on security.
  Bounty range: $500-$2000 (TONB equivalent)

Bug categories

The following bug categories samples are in scope (with criticality on a 10-point scale):

• Inefficient code segments and poor practices in writing smart contracts.
• Incorrect display of information in the user interface.
• Users will experience significant delays in transaction processing. Not considering delays caused by the distributed blockchain architecture and other factors that the attacker cannot influence.
• Possible vulnerabilities in the contract that may arise in the future after TON blockchain updates, including workchains, sharding, and changes in fee sizes.
• Depletion of the contract balance through multiple transaction submissions.
• Temporary unavailability of funds in the contract, leading to system operation issues.
• Temporarily inaccessible staking rewards for the contract, causing system operation problems.
• Permanent unavailability of funds in the contract, resulting in losses and necessitating a system restart.
• Permanent unavailability of staking rewards for the contract, leading to losses and requiring a system restart.
• Theft of staking rewards resulting in losses and, in some cases, requiring a system restart.
• Theft of funds from the contract resulting in losses and, in some cases, requiring a system restart.
• Malicious actor disrupting voting mechanisms or gaining the ability to execute requests without majority consent.
• Malicious actor gaining the ability to steal user funds, resulting in significant losses.
• Malicious actor compromising emergency system recovery mechanisms, making it difficult to quickly prevent massive losses.

Incentives and rewards

To incentivize testing and as a token of our appreciation, we will be offering cash rewards based on the severity and impact of the reported issues. Our rewards range from $50 (TONB) for low-severity findings to up to $10,000 (TONB) for exceptional discoveries. We recognize the importance of your contributions and are committed to acknowledging your efforts.

Validation

TONBanking will validate the vulnerability report and assign a severity level to the vulnerability. The reward amount will be determined based on the severity of the vulnerability.

Public disclosure

Researchers are not allowed to publicly disclose vulnerabilities until the TONBanking has confirmed the vulnerability and has released a patch

Accidental Disclosure: Insecure POC video sharing

It is recommended to include a video or screenshot as Proof-of-Concept in your submissions. These files should not be shared publicly. This includes uploading to any publicly accessible websites (that is, YouTube, Imgur, and so on). If the file exceeds 100MB, upload the file to a secure online service such as Vimeo, with a password.

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, information regarding Target Systems, information regarding the target of a crowdsourced security program (including, as may be applicable, any merger, acquisition or sale discussions or transactions), pricing information, business information, fees and amounts paid to Researchers and existence of and terms of private crowdsourced security programs. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

You agree that you will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by disclosing party; (ii) protect such Confidential Information with at least the same degree of care that the Researcher uses to protect its own Confidential Information, but in no case, less than reasonable care; (iii) use the disclosing party’s Confidential Information for no purpose other than the use permitted by the disclosing party; and (iv) immediately notify disclosing party upon discovery of any loss or unauthorized disclosure of disclosing party’s Confidential Information.

ALL SUBMISSIONS ARE CONFIDENTIAL INFORMATION OF THE PROGRAM OWNER UNLESS OTHERWISE STATED IN THE BOUNTY BRIEF. This means no submissions may be publicly disclosed at any time unless the Program Owner has otherwise consented to disclosure.

As part of this policy, we commit to:

• Provide protection, as outlined below, for vulnerability research conducted according to these guidelines.
• Cooperate with you in understanding and validating your report, ensuring a prompt initial response to your submission.
• Remediate validated vulnerabilities in a timely manner.
• Acknowledge and credit your contribution to improving our security, if you are the first to report a unique vulnerability that leads to a code or configuration change.

Join Testnet: @tonbanking_bot

English Channel: @tonbanking

Russian Chat: @tonbanking_ru

Website: tonb.io