The OMG Network allows developers to build scalable, decentralized payments apps on a high throughput value transfer layer. As a financial network, security is a core tenet in all our engineering efforts, however, we realize no technology is perfect!
That’s why we’ve launched a bug bounty program allowing participants to identify and submit vulnerabilities that could negatively impact OMG Network users. Successful submissions have a chance of being eligible for bounty rewards of up to $25,000.
What’s In Scope?
We have set up a dedicated environment for the bug bounty program that should give participants access to all services without the need to spend any time on installation, setup and configuration. There is also no need to worry about accidentally breaking something as this environment is completely isolated from our production services. The bug bounty environment also has a shorter finalization time than the production environment to help participants better test the exit flows.
With the launch of the bug bounty program we put the following components in scope:
- Root chain contracts
- Child Chain
- Block Explorer (Source code will be available soon)
- Web wallet
Stay tuned for updates on the scope as we are planning to include other components soon.
Issues We’re Interested In
We appreciate hackers and security researchers taking time to identify vulnerabilities in our systems. We’re determined to review and fairly reward submissions based on the risk that the vulnerability poses to the OMG Network.
Here are some ideas for issues that we regard as high-value submissions:
- Compromise funds from users who have deposited or received funds on the OMG network
- Prevent users from depositing, withdrawing or transacting funds on the OMG network
- Double spend a UTXO on the Plasma network and exit it to the root chain (Ethereum) without raising a byzantine event
- Include invalid transactions in a block and the watcher does not raise byzantine events
- Brick the exit priority queue of a token so that no funds can be exited anymore. Token must be ERC20 conform.
- Gain access to a system and run OS commands aka getting shell
The list is not meant to limit or discourage other types of submissions but should give you clarity on the problems we deem important.
Rewards are based on the severity of the issue and are determined in USD. Participants may choose to receive their bounty reward in the equivalent of ETH or OMG tokens. We generally use CVSSv3 scoring system to understand the risk of an issue. This might not always make sense to determine the bounty reward though especially for the smart contracts.
The following table gives an overview of the reward structure:
* The plasma-contracts, the child chain and the watcher
** Any other components in scope that are not primary components
OMG Network Bug Bounty Program