royco
@Royco
LiveRoyco Protocol allows anyone to create a market to incentivize any onchain transaction or series of transactions. Using Royco:
- Incentive Providers may create offers to incentivize users to perform the transaction(s).
- Action Providers may create offers to complete the transaction(s) and/or negotiate for more incentives.
When these two satisfy each other, the onchain transaction(s) execute atomically alongside the distribution of incentives. Royco Protocol is entirely non-custodial, trustless, and permissionless. It is also capital-efficient, allowing Action Providers to create many offers with the same assets.
For more information about Royco, please visit https://www.royco.org/
Royco provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.
Scope
In-Scope Targets:
- Smart Contracts:
Royco’s codebase can be found at https://github.com/roycoprotocol.
Documentation and further resources can be found on https://docs.royco.org/.
- Web Interface / Application:
Royco’s front-end codebase can be found at royco-frontend-template. Documentation and further resources can be found on https://docs.royco.org/.
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
You must report vulnerabilities directly on Cantina. Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity Definitions
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | - |
Critical:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of >2% funds
High:
- Theft of unclaimed yield
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Rewards
The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
- Smart Contract Code
| Severity | Maximum Payout |
|---|---|
| Critical | $250,000 |
| High | $3,000 to $10,000 |
The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
- Web App / Frontend
| Risk Score | Payout Range |
|---|---|
| Critical | Up to $10,000 |
For critical web/apps bug reports will be rewarded only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds
Note: Actual reward amounts are determined at Royco’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Out of scope
Web3/Smart contract:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
WebApp/Frontend:
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers.
- Theoretical impacts without any proof or demonstration
- Impacts involving attacks requiring physical access to the victim device
- Impacts involving attacks requiring access to the local network of the victim
- Reflected plain text injection (e.g. url parameters, path, etc.)
- This does not exclude reflected HTML injection with or without JavaScript
- This does not exclude persistent plain text injection
- Any impacts involving self-XSS
- Captcha bypass using OCR without impact demonstration
- CSRF with no state modifying security impact (e.g. logout CSRF)
- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
- Impacts causing only the enumeration or confirmation of the existence of users or tenants
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
- Lack of SSL/TLS best practices
- Impacts that only require DDoS
- UX and UI impacts that do not materially disrupt use of the platform
- Impacts primarily caused by browser/plugin defects
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
- SPF/DMARC misconfigured records)
- Missing HTTP Headers without demonstrated impact
- Automated scanner reports without demonstrated impact
- UI/UX best practice recommendations
Other Terms
By submitting a report, you grant Royco the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Royco. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
Total reward
$250,000
Findings submitted
20
Start date
Jan 10, 2025
Please sign in as a researcher to join the bounty.
Log in