🐞Bug Bounty

If you found a vulnerability in our smart contracts or system, please send an email to hi@rango.exchange

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards and/or prohibited:

  • Attacks that the reporter has already exploited themselves, leading to damage

  • Attacks requiring access to leaked keys/credentials

  • Attacks requiring access to privileged addresses (governance, multisigs, admins)

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration

  • Attacks requiring physical access to the victim device

  • Attacks requiring access to the local network of the victim

  • Reflected plain text injection ex: url parameters, path, etc.

  • This does not exclude reflected HTML injection with or without javascript

  • This does not exclude persistent plain text injection

  • Self-XSS

  • Captcha bypass using OCR without impact demonstration

  • CSRF with no state modifying security impact (ex: logout CSRF)

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as β€œhttponly”) without - monstration of impact

  • Server-side non-confidential information disclosure such as IPs, server names, and most stack traces

  • Vulnerabilities used only to enumerate or confirm the existence of users or tenants

  • Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

  • Lack of SSL/TLS best practices

  • DDoS vulnerabilities

  • Feature requests

  • Issues related to the frontend without concrete impact and PoC

  • Best practices issues without concrete impact and PoC

  • Vulnerabilities primarily caused by browser/plugin defects

  • Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.

  • Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

  • Best practice concerns

  • Recently (less than 30 days) disclosed vulnerabilities in the supply chain

  • Vulnerabilities affecting users of outdated browsers and/or platforms

  • Social engineering or phishing attemps

  • Vulnerabilities that require specific third party software on the user’s machine that is not part of the general - ecase (i.e. browser + wallet add-on)

  • Clickjacking/Tapjacking unless performed on a subdomain of rango.exchange

  • Tabjacking unless performed on a subdomain of rango.exchange

  • The blog hosted at blog.rango.exchange

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets

  • Any testing with pricing oracles or third party smart contracts

  • Attempting phishing or other social engineering attacks against our employees and/or customers

  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

  • Any denial of service attacks

  • Automated testing of services that generates significant amounts of traffic

  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles (Not to exclude oracle manipulation/flash loan attacks)

  • Basic economic governance attacks (e.g. 51% attack)

  • Lack of liquidity

  • Best practice critiques

  • Sybil attacks

  • Centralization risks

Last updated