Nodle
@nodle
LiveIntroduction
The Nodle Network is a decentralized wireless network, composed of Nodle Edge Nodes, powered by the Nodle Chain, and the NODL token. Nodle connects the physical world to Web3 by using smartphones as edge nodes. The edge nodes read devices and sensors in the physical world using Bluetooth Low Energy (BLE) and connect that information to the blockchain. Creating a geolocation-based layer one that can be used by many unique applications built for the hyper-connected, mobile-oriented world we live in. Nodle creates an economic model that is secure, private, and scalable.
Nodle also develops the Click Camera, a unique solution to authenticate pictures using C2PA, a standard from Adobe, and NFTs.
For more information about Nodle, please visit https://www.nodle.com/ For more information about Click, please visit https://clickapp.com/
Scope
In-Scope Targets:
Target | Type |
---|---|
https://github.com/nodlecode/chain | Blockchain/DLT - Nodle Chain Node |
https://github.com/NodleCode/rollup | Smart Contracts |
https://client.nodle.com | Web/App |
https://zkclient.nodle.com | Web/App |
Nodle App iOS | Web/App |
Nodle App Android | Web/App |
Click Camera iOS | Web/App |
Click Camera Android | Web/App |
Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bounty program unless explicitly mentioned as in-scope.
Out-of-Scope Targets:
- Previous audits and known issues are out of scope and can be found at:
Description of Known Issue | Related Impact-in-Scope |
---|---|
Upstream reports to Parity Technologies, for Polkadot or related projects. | Blockchain/DLT/Web/API |
Upstream reports made to OnFinality, concerning improper operation of the Nodle hosted Mainnet RPC endpoint. | Blockchain/DLT/Web/API |
Upstream reports made to Matter Labs or related entities, for ZKsync or zkEVM issues. | Blockchain/DLT |
Substrate Pallet Audit, Halborn, Feb. 2022 | Blockchain/DLT |
Secfault Security, Substrate Chain Audit, July 2020 | Blockchain/DLT |
Quantstamp Security Assessment Certificate, Sept. 2020 | Blockchain/DLT |
Resonance Security, Aug. 2024 | Blockchain/DLT |
Nethermind Bridge Audit, Sept. 2024 | Blockchain/DLT |
Matter Labs Solidity Audit, Sept. 2024 | Blockchain/DLT |
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Nodle Network, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Reports must incude:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
- To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within scope.
- Provide sufficient information to reproduce and fix the issue.
- Not have exploited the vulnerability in a malicious manner.
- Not have disclosed the vulnerability to third parties prior to receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Blockchain
Risk Score | Payout Range |
---|---|
Critical | $10,000 - $20,000 USD, $NODL |
High | $2,000 - $10,000 USD, $NODL |
Rewards for critical Blockchain vulnerabilities are further capped at 10% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $10,000 for Critical Blockchain/DLT bug reports.
Rewards for high Blockchain vulnerabilities are further capped at 100% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $2,000 for High Blockchain/DLT bug reports.
- Web Interface / Frontend
Risk Score | Payout Range |
---|---|
Critical | $4,000 - $10,000 USD, $NODL |
High | $1,000 - $4,000 USD, $NODL |
Rewards for critical web/app vulnerabilities will be further capped at 10% of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of $4,000.
High web/app vulnerabilities will be further capped at up to 100% of the funds affected. However, there is a minimum reward of $1,000.
Note: Actual reward amounts are determined at Nodle Network’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Out of Scope
Category | Specific Vulnerabilities and/or Attacks to be Excluded |
---|---|
Website & Application | Attacks with the potential to disrupt other customers of a shared web hosting environment, such as but not limited to Vercel. |
Website & Application | Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation. |
Website & Application | Attacks relying on the user installing other applications on their smartphone. |
Website & Application | Attacks requiring rooted or jailbroken phone systems. |
Blockchain/DLT | Attacks with the potential to disrupt other customers of a shared hosting environment such as OnFinality, SubQuery, or Alchemy. |
Blockchain/DLT | Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation. |
Blockchain/DLT | Vulnerabilities affecting third-party services used by Nodle such as OnFinality. |
Other Terms
By submitting a report, you grant Nodle Network the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Nodle Network. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
Total reward
$20,000
Findings submitted
4
Start date
Feb 6, 2025
Please sign in as a researcher to join the bounty.
Log in