Electroneum Legacy Blockchain: EOL
Bounty Range
$200 - $12,000
external program
Electroneum Legacy Blockchain: EOL
Bounty Range
$200 - $12,000
external program
Electroneum has officially migrated to a new blockchain architecture that you can see at our bug program Smart Chain (ETN-SC), but our legacy blockchain remains active to support users who have not yet transitioned. This legacy infrastructure continues to secure real value and facilitate transactions, making its security critical to both our users and our business.
We're inviting security researchers to help us identify vulnerabilities in the legacy Electroneum blockchain codebase. This is your chance to explore a mature, mobile-first cryptocurrency stack, uncover hidden flaws, and contribute to the safety of a live but end-of-life (EOL) system.
Thank you for helping us keep the legacy blockchain and our users safe!
For the initial prioritization/rating of findings, this engagement will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
| Priority | Reward |
|---|---|
| P1 | $5,000 – $12,000 |
| P2 | $4,000 – $6,000 |
| P3 | $600 – $850 |
| P4 | $200 – $250 |
Legacy Blockchain Codebase
Legacy Block Explorer
When conducting blockchain research, please do not enact any discovered exploits in order to create a POC, for example, minting new tokens, moving users balances around or otherwise affect our user's ability to conduct their usual operations on the blockchain and maintain their wallet balances.
Please read thoroughly the code relevant to your submission before making submissions, ensuring that the vulnerability is realistic and relates to production code or scenarios. Also please do not relay proof of concepts found with AI tools without reviewing them yourself first.
Testing is only authorized on the targets listed as in scope. Any domain/property of Electroneum not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Electroneum, you can report it to this engagement, and is appreciated. However, be aware that it is ineligible for rewards or points-based compensation.
PLEASE NOTE THAT THE LEGACY BLOCKCHAIN IS ONLY USED TO MIGRATE USERS OVER TO THE NEW SMART CHAIN AND NO PUBLIC RPCs, EXCHANGES OR OTHER COMMERCIAL ENTITIES OPERATE ON THIS CHAIN. Therefore submissions based on DoS via RPC attack vectors will be rejected automatically. Submissions should likely be focused on exploits of the bridge over to the smartchain, unauthorized minting of new ETN, and similar critical issues that affect the integrity of the chain itself.
Our 'Legacy' Blockchain codebase can be found here https://github.com/electroneum/electroneum/. Please understand that the new Electroneum Smartchain (https://github.com/electroneum/electroneum-sc/) and associated repositories are NOT covered under this Bugcrowd program as we have a separate program for this part of the project (https://bugcrowd.com/engagements/smartchain-mbb-og/).
The only vulnerability or bug submissions that will be unequivocally triaged according to the Bugcrowd taxonomy and paid out will be ones that are able to probably generate one of the following outcomes:
A) Minting of new tokens or burning of tokens through a currently unknown mechanism.
B) Gaming the consensus algorithm in order to gain monetary advantage or completely shut down the network or significantly affect the regularity of blocks being published to the main chain.
C) Stealing other's tokens or revealing their wallet private keys.
D) Changing the blockchain data of the past and having the network accept these changes.
Researchers need to explain the impact according to this list mentioned above.
If you have found what you believe to be a highly serious exploit that is not covered by one of these categories of outcome, please still reach out to us, as we may nonetheless award you a payout at our discretion if we believe that the vulnerability is significant enough, in that it poses a threat of a magnitude comparable to those outlined in the above categories.
Build and run documentation: https://github.com/electroneum/electroneum/blob/master/docs/build-and-run.md
Daemon RPC documentation: https://github.com/electroneum/electroneum/blob/master/docs/daemon-rpc-documentation.md
Wallet RPC documentation: https://github.com/electroneum/electroneum/blob/master/docs/wallet-rpc-documentation.md
Any of the suite of programs when ran from the command line with the –help flag will display all of the available options for running the programs, which will include the –test net flag, which will run the programs in test net mode.
If you would like some test net funds to use in your research, please contact us by email at [email protected] and specify your Bugcrowd credentials, your wallet address and any other information you feel we should know, and we will send some to you.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are excluded from this engagement:
P5 vulnerabilities
Non-security impacting UX issues.
Deprecated Third Party Open-Source libraries are not in scope. For our own supported and actively maintained open-source libraries, we accept vulnerability reports through Bugcrowd.
Vulnerabilities or weaknesses in third party applications that integrate with Electroneum.
Vulnerabilities associated with creating an emulator for the mining environment that do not demonstrate the ability to dramatically increase mining function or show other security impact.
Clickjacking on pages with no sensitive actions.
Attacks requiring MITM or physical access to a user's device.
Previously known vulnerable libraries without a working Proof of Concept.
Any type of injection without demonstrating a vulnerability.
Any activity that could lead to the disruption of our service (DoS).
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Password complexity-related issues
Rate limiting related issues.
When N-Day bugs are released to the public, we will consider these as in scope after 14 days has gone by
Example: N-day released on 01/01/2025, we would consider it in-scope on 01/15/2025
Any issues found on our legacy blockchain that relate to known Monero blockchain issues, may not be accepted.
Any subdomains on the electroneum.com and thesecurityteam.rocks domains that are not included on the in-scope target list are considered out of scope.
We will not accept reports based on bugfixes that have already publicly been committed to Ethereum
Interacting or manipulate other stakeholders and their associated accounts including:
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire through the Bugcrowd Support Portal before going any further.
This engagement follows Bugcrowd's standard disclosure terms.
Vulnerabilities found in this engagement requires explicit permission by selecting the disclosure request option on your submission. For more information please review the Public Disclosure Policy.