IPMB Staking Bug Bounty Program – November 2024
Security is paramount in the world of digital assets and gold-backed cryptocurrencies. Vulnerabilities in smart contract code can lead to significant financial risks and undermine user trust. At IPMB, we provide access to physical gold through a unique staking mechanism that allows users to acquire gold at discounted rates.
To ensure the integrity of our ecosystem, IPMB is launching a Bug Bounty Program, inviting ethical hackers, developers, and security researchers to analyze our Staking Smart Contract for vulnerabilities. This program promotes transparency and confidence, offering rewards for valuable findings. This article outlines the scope, rewards, and participation guidelines.
Why a Bug Bounty Program for the IPMB Staking?
Bug bounty programs are a proven strategy for identifying security vulnerabilities, especially in the blockchain and crypto space. Staking IPMB Tokens offers users direct access to tokenized gold at discounted rates. With millions of dollars managed through our smart contracts, IPMB is committed to ensuring secure and efficient operation, driving the adoption of tokenized gold and leading growth in the Real World Asset (RWA) sector. By crowdsourcing vulnerability testing, IPMB aims to enhance security, reduce risks, and provide a safer product for users.
Scope of the Bug Bounty Program
The IPMB Staking Bug Bounty Program targets bugs in both the smart contract code and economic logic of the staking platform. Below are the categories of issues eligible for rewards:
1. Smart Contract Specific Bugs
These bugs are specific to the functioning of the staking contract itself, with a focus on vulnerabilities that could lead to unauthorized fund transfers, miscalculations, or other critical issues.
- Reentrancy Attacks: A classic vulnerability in smart contracts where malicious actors repeatedly call a function to drain funds.
- Integer Overflows/Underflows: Arithmetic errors that cause unexpected results, potentially leading to manipulation of token balances or reward calculations.
- Access Control Issues: Unauthorized access to functions that should be restricted to admin or authority roles only.
- Time Manipulation: Bugs arising from improper handling of block timestamps, which can alter reward distribution schedules.
- Mismatches in Tokenomics: Any miscalculations in rewards, fees, or penalties that could lead to financial imbalances or be exploited for profit.
2. General Smart Contract Vulnerabilities
Beyond staking-specific issues, IPMB is also seeking reports on general smart contract security issues.
- Denial of Service (DoS): Bugs that can prevent the normal execution of contract functions, affecting user access and experience.
- DelegateCall Issues: Misuse of the delegatecall function, which can lead to unexpected code execution and potential loss of funds.
- Unprotected Functions: Functions that lack proper access controls, making them vulnerable to unauthorized execution.
- Improper Use of tx.origin: Using tx.origin instead of msg.sender can expose the contract to phishing attacks.
3. Logic Flaws
Logic flaws can create discrepancies between the intended functionality of the contract and its actual behaviour.
- Incorrect Business Logic: When the staking contract doesn’t behave as designed, such as mishandling rewards or penalties.
- Unintended Functionality: Functions that work differently than described or expected, potentially leading to unexpected outcomes for users.
Rewards
IPMB Staking has categorized rewards based on the severity of the discovered vulnerability to attract top-tier talent and reward thorough research. Here’s a breakdown of the reward tiers:
- Critical Bugs
- Definition: Bugs that could result in a significant loss of funds or complete loss of control over the contract.
- Example: A reentrancy exploit that enables an attacker to drain the contract’s funds.
- Prize: Up to $2,500 USDT
- High Severity Bugs
- Definition: High-impact bugs that are still dangerous but may require more effort to exploit.
- Example: An integer overflow affecting reward calculations, reducing user rewards over time.
- Prize: Up to $1,500 USDT
- Medium Severity Bugs
- Definition: Vulnerabilities that present risks but are more challenging to exploit.
- Example: Time manipulation vulnerabilities that affect reward distribution.
- Prize: Up to $500 USDT
- Low Severity Bugs
- Definition: Minor issues that pose minimal risk but could lead to inefficiencies or unnecessary gas costs.
- Example: Minor gas optimization issues or inefficiencies in code execution.
- Prize: Up to $250 USDT
Rules for Participation
The IPMB Staking Bug Bounty Program is designed to foster ethical, responsible disclosures while safeguarding sensitive information. Here’s what you need to know before participating:
- Eligibility: The program is open to anyone globally, with the exception of team members directly involved in the development or operation of the IPMB Staking contract or their immediate family members.
- Submission Guidelines:
- The only approved medium for communication is the IPMB official Discord server, using the following channels:
- Announcements: Under the BUG BOUNTY category, used for all official announcements related to the IPMB Staking Bug Bounty Program.
- Bug-Chat: General chat on bug-related discussions.
For Submissions: Use our ticketing system under the SUPPORT category. In the “support-ticket” channel, click “Open a ticket!” and submit your findings.
- Access GitHub repo here: https://github.com/IpmbOfficial/IPMB-staking-contracts
Each report should include a detailed vulnerability description, steps to reproduce, potential impact, and a proof of concept (PoC), if possible.
- Disclosure: Responsible disclosure is essential. Participants must not publicly share details of any identified vulnerabilities until the issue has been resolved by the IPMB team or shared through official channels.
- Non-Disclosure Agreement (NDA): For certain sensitive vulnerabilities, participants might be required to sign an NDA. This ensures that proprietary or highly sensitive information is kept confidential.
- Timeframe for Fixes: The IPMB team aims to respond and fix any critical issues promptly. Reported issues will be acknowledged within a reasonable timeframe, with an emphasis on resolving critical bugs swiftly.
- Duplicate Reports: Rewards will be granted on a first-to-report basis. Duplicate reports will not be rewarded but may still receive acknowledgment if deemed valuable.
Additional Incentives
Beyond financial rewards, IPMB offers additional incentives to recognize top contributors:
- Hall of Fame: Contributors who make significant discoveries will be publicly acknowledged (if they choose) in a “Hall of Fame,” providing recognition within the security community.
- Long-term Collaboration: For exceptional contributors, IPMB may offer further opportunities, such as consulting roles, advisory positions, or additional paid research engagements.
How to Get Involved
Interested in participating? Here’s how you can get started:
- Review the Code: Familiarize yourself with the IPMB Staking contract’s code and identify potential areas for vulnerabilities. – Access the GitHub repo here: https://github.com/IpmbOfficial/IPMB-staking-contracts
- Test and Report: Use a test environment to identify and document any vulnerabilities you find, and submit your findings following the guidelines.
- Stay Engaged: For those looking to contribute more long-term, stay active in IPMB’s community and keep an eye out for new opportunities.
Channels
Announcements: Under the BUG BOUNTY category, used for all official announcements related to the IPMB Staking Bug Bounty Program.
Bug-Chat: General chat on bug-related discussions.
For Submissions: Use our ticketing system under the SUPPORT category. In the “support-ticket” channel, click “Open a ticket!” and submit your findings.
Conclusion
The IPMB Staking Bug Bounty Program offers an exciting opportunity to help secure a DeFi staking contract while earning competitive rewards. By participating, you contribute to the security and trustworthiness of the platform, ensuring that users can confidently stake their assets. Whether you’re a seasoned security researcher or an up-and-coming developer, your contributions could make a lasting impact on the safety and success of IPMB Staking.
Ready to join? Dive into the IPMB Staking Bug Bounty Program and be part of the movement towards a safer DeFi ecosystem.
About IPMB
The IPMB Ecosystem offers direct access to physical gold, allowing exposure to the stability of gold and the speed and security of the blockchain through a dual-token model.
Through this innovation, IPMB is striving to change the gold industry forever.
The IPMB mission is to provide the world access to unlimited economic freedom and opportunity, giving choice and control to accelerate a global transition to a low-cost, unified and transparent global currency.
‘From the mine to the vault, and in the cloud’, IPMB manages and operates physical gold production, sourcing, beneficiating, exporting, refining, stamping and vaulting of gold.
The IPMB Ecosystem is at the heart of the IPM Group, a group of companies spanning three continents and five countries.