Bug Bounty Program

Submit Bug Report (required):

https://forms.gle/RTfavVcXoMERNupY8

Reward tiers

Critical - Up to $3,000

High - Up to $2,000

Medium - Up to $750

Low - Up to $350

Program Overview

Parallel Finance is a DeFi super DApp protocol with the mission to bringing decentralized finance to 1 billion people. The products offered are: Liquid staking, AMM, decentralized money market, liquid crowdloan, stream protocol (DAO tooling), wallet, and yield farming functions. The Parallel and Heiko platforms are launched on the Polkadot and Kusama networks, respectively. For more information, please visit: https://docs.parallel.fi/

For the Parallel Bug Bounty Program, rewards are distributed according to the impact of the vulnerability. All web/app bug reports must come with a PoC with an end-effect impacting our Paraspace platform in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. Payouts are handled by the Parallel team directly after review.

Critical substrate vulnerabilities are capped at $3,000 reward, which can be paid out in tokens. All other rewards for the bug bounty program are scaled based on an internally established team criteria. It takes into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is factored in with bug reports requiring multiple conditions to be met that are currently being put in place. The team will assign a severity level after review and determine a fair value for the bugs found. Rewards will only be paid out if you’re the first party to report the issue via the form link and the bounty hunter does not disclose the bug to other parties or publicly until it’s confirmed by the Parallel team.

Substrate: Only the following impacts are accepted within this bug bounty program, after review by our team. All other impacts are not considered as in-scope. The bug bounty program is focused on preventing:

  • Transaction/consensus manipulation

    • Double-spending

    • Unauthorized token minting

    • Governance compromise

    • Getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

    • Blocking or modifying processes for governance or users from performing their tasks, generating not handled on-chain errors.

    • Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc.

  • Network not being able to confirm new transactions - total network shutdown

  • Direct loss of funds or permanent freezing of funds

Out of scope items are not limited to:

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage

  • Attacks requiring access to leaked keys/credentials

  • Attacks requiring access to privileged addresses (governance, strategist)

  • DDOS attack

  • Denial of service attacks

  • Spamming

  • Any physical attacks against Parallel property, or employees

  • Phishing or other social engineering attacks against our team

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration

  • Attacks requiring physical access to the victim device

  • Attacks requiring access to the local network of the victim

  • Reflected plain text injection ex: url parameters, path, etc. This does not exclude reflected HTML injection with or without javascript This does not exclude persistent plain text injection

  • Self-XSS

  • Captcha bypass using OCR without impact demonstration

  • CSRF with no state modifying security impact (ex: logout CSRF)

  • Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact

  • Server-side non-confidential information disclosure such as IPs, server names, and most stack traces

  • Vulnerabilities used only to enumerate or confirm the existence of users or tenants

  • Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows

  • Lack of SSL/TLS best practices

  • DDoS vulnerabilities

  • Feature requests

  • Issues related to the frontend without concrete impact and PoC

  • Best practices issues without concrete impact and PoC

  • Vulnerabilities primarily caused by browser/plugin defects

  • Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.

  • Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets

  • Any testing with pricing oracles or third party smart contracts

  • Attempting phishing or other social engineering attacks against our employees and/or customers

  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)

  • Any denial of service attacks

  • Automated testing of services that generates significant amounts of traffic

  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Assets in Scope

Main network, open runtime module

https://github.com/parallel-finance/parallel

Disclaimer:

ParaSpace team reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity. Terms and program durations are subject to change at any time without notice. By submitting a bug, you agree to be bound by the program rules.

A reward can only be provided if:

  • The bug wasn't reported before.

  • The Bounty Hunter does not disclose the Bug to other parties or publicity until it's fixed by the Parallel Team.

  • The Hunter didn't exploit the vulnerability or allow anyone else to profit from it.

  • The Hunter reports a bug without any additional conditions or threats.

  • The investigation was NOT conducted with Ineligible methods or Prohibited Activities.

  • The Hunter should reply to our additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time.

  • When duplicate bug reports occur, we reward only the first one if it's provided with enough information for reproduction.

  • When multiple vulnerabilities are caused by one underlying issue, we will reward only the first reported.

  • The vulnerability is found in runtime pallets (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability)

Severity Tiers

Rewards are distributed according to the impact of the vulnerability based on the following severity scale:

  • Critical: transaction/consensus manipulation, double-spending, unauthorized token minting, governance compromise, getting access to an identity that can lead to unauthorized access to system’s or user’s assets.

  • High: blocking or modifying processes for governance or users from performing their tasks, generating not handled on-chain errors. These actions can lead to blocking users or governance from accessing their assets or performing system functions.

  • Medium: Putting on-chain data into an unexpected state without interrupting the system or users from performing their tasks, e.g. generating redundant events, logs, etc.

The addition of a PoC and a suggestion for a fix is not required, but its addition may be grounds for a bonus provided by the team at its discretion.

Last updated