Electroneum Wallet: Gateway to the ETN Cryptocurrency
Bounty Range
$200 - $12,000
external program
Electroneum Wallet: Gateway to the ETN Cryptocurrency
Bounty Range
$200 - $12,000
external program
You can access your ETN Wallet through the ETN App (available on iOS and Android) or the ETN-CWP (Classic Web Portal) at my.electroneum.com. This is the official place to manage your ETN wallet.
Each user is assigned a single ETN wallet upon registration. While users can send and receive ETN, view transaction history, and manage their account across devices, they do not hold the private keys to their wallet. Custodial access is managed by the ETN-Network.
To comply with global financial standards and ensure platform integrity, Know Your Customer (KYC) verification is required for account access and usage. This adds an additional layer of identity assurance and regulatory compliance.
The ETN-Network has developed a mobile-first digital payment ecosystem powered by Electroneum (ETN), a cryptocurrency designed for fast, low-cost transactions. Through the ETN App and my.electroneum.com, users can send ETN globally.
ETN can be used to purchase essential services such as electricity, water, mobile top-ups, and vouchers from major global brands. The platform's design eliminates the need to convert ETN to fiat, offering users a seamless and accessible way to spend digital currency.
In addition, users can earn ETN through AnyTask.com, a freelance marketplace that enables financial inclusion by allowing sellers to receive payments in ETN without needing a bank account. This empowers freelancers worldwide to work flexibly and get paid securely.
The ETN-Network's mission is to make digital payments and earning opportunities available to everyone, especially those in underserved regions. This makes the security of the ETN Wallet Manager and its mobile apps a top priority.
The ETN-Network believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you think you have found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Thank you for helping us keep the ETN-Network and its users safe!
For the initial prioritization/rating of findings, this engagement will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.
| Priority | Reward |
|---|---|
| P1 | $5,000 – $12,000 |
| P2 | $4,000 – $6,000 |
| P3 | $600 – $850 |
| P4 | $200 – $250 |
The Staging ETN-Network platform is a staging environment for the wallet app to manage the cryptocurrency Electroneum (ETN). Testing and experimentation should be carried out at: https://my.thesecurityteam.rocks/
The Production ETN-Network is a wallet app to manage the cryptocurrency Electroneum (ETN), accessible at https://my.electroneum.com/ or via the mobile apps.
| Target | Location | Technologies |
|---|---|---|
| Staging Web Platform | https://my.thesecurityteam.rocks | Bootstrap, nginx, jQuery |
| Staging API | https://api.thesecurityteam.rocks | API Testing, MySQL, PHP |
| Production Web Platform | https://my.electroneum.com/ | Bootstrap, nginx, jQuery |
| Website | https://electroneum.com/ | Wordpress, Amazon S3, Amazon CloudFront |
| Production API | https://api.electroneum.com/ | API Testing, MySQL, PHP |
| Android App | https://play.google.com/store/apps/details?id=com.electroneum.mobile&hl=en_US | Java, Mobile Application Testing, Kotlin |
| iOS App | https://apps.apple.com/us/app/electroneum/id1270774992 | Objective-C, SwiftUI, Swift |
When conducting blockchain research, please do not enact any discovered exploits in order to create a POC, for example, minting new tokens, moving users balances around or otherwise affect our user's ability to conduct their usual operations on the blockchain and maintain their wallet balances.
This program relates to the Electroneum Online Wallet and mobile App production environments. Behaviour that compromises the stability and integrity of the site is out of scope. For example, do not target other user's data (use one of your other sets of credentials), delete/remove/edit parts of the site, engage in any sort of DoS attack, and/or compromise any target's ability to function for other users. If you believe that you have found a vulnerability of this nature, please stop further testing and report it.
If you feel you have found an exploit that will target all users, please use our staging system to verify it: https://my.thesecurityteam.rocks.
Testing is only authorized on the targets listed as in scope. Any domain/property of Electroneum not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in scope, but it demonstrably belongs to Electroneum, you can report it to this engagement, and is appreciated. However, be aware that it is ineligible for rewards or points-based compensation.
Real personal data must not be used in staging environments.
To gain access to the application, please sign up for an account using your @bugcrowdninja.com email address.
Pre-provisioned accounts with access to the application have been provided. The credentials are available for retrieval at the bottom of the brief.
If you wish to retrieve device authorization generated emails from https://my.thesecurityteam.rocks/, you can do so by visiting: http://stagemail.thesecurityteam.rocks/stagemail.php.
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are excluded from this engagement:
When conducting vulnerability research according to this policy, we consider this research to be:
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire before going any further.
This engagement follows Bugcrowd's standard disclosure terms. Vulnerabilities found in this engagement require explicit permission by selecting the disclosure request option on your submission.