The team of imToken, a cryptocurrency wallet ecosystem, has announced the launch of a new bug bounty program for recently open-sourced, TokenCoreX. This bug bounty is s being managed in conjunction with blockchain security firm SlowMist.
TokenCore is a cross-platform library that implements crypto wallet functions for blockchains, exporting C interfaces in Protobuf protocol. This library is entirely written in Rust, and provides friendly interfaces for the imToken mobile platform including ReactNative, iOS, and Android.
imToken embeds TokenCore library as the low-level cryptograph wallet layer and built the user interface on this library.
Bounty Scope
The TokenCore Bug Bounty is only based on TokenCore open-sourced code, the GitHub repository is https://github.com/consenlabs/token-core.
The following issues are what imToken is interested in:
- Vulnerabilities that can steal assets or cause loss of assets.
- Defects in core encryption algorithm implementation, such as Keystore, Wallet Generation, Transaction Signature, etc.
- Vulnerabilities in chain-related logic code.
- Vulnerabilities in the wallet application layer.
- Vulnerabilities that can cause software unavailability, such as App crashes, etc.
- Insecure and irregular code implementations.
- Vulnerability messages for third-party libraries.
Rewards:
The following are out of scope:
- Anything that isn’t in this repository.
- 3rd party library dependencies.
- Example code for demonstrating.
Note that any bugs already reported are considered out of scope. Bounty rewards are paid in Tether USD token on ethereum.
Guidelines for Crafting a Report
Contact imToken, sending vulnerability details to email sec@token.im
Report requirements:
- Vulnerability title and tier.
- Description of the vulnerability.
- PoC(e.g. Sample code, screenshot, video).
- Suggestion for how to fix (optional).
- Vulnerability is basically confirmed to be valid or not within two business days after submission. After confirmation and grading, the reward will be issued to your wallet address within two weeks.
- Do not publicly disclose your submission until imToken evaluated the impact.