STAKEWAR BUG BOUNTY
Honest disclosure: we run on testnet without a paid audit. Help us find issues — get rewarded when we hit mainnet.
In Scope
- Smart contract: TheGrid.sol (current deploy 0xdaE5901Dfc36e2EC513D3Bc346BE22a856cB6C89)
- Claim/capture flow (frontend transaction handling)
- Treasure VRF roll mechanics
- IPFS upload + content moderation bypass
- Achievement engine math errors
- Profile and leaderboard rendering inaccuracies
- XSS via cell link / image / address fields
- Pricing/capture economic edge cases
Out of Scope
- Older deployed contracts (we know, deprecated)
- Theoretical attacks without working PoC
- Social engineering or phishing
- DDoS / spam / rate limiting
- Third-party dependencies (RPC providers, IPFS gateways, OpenAI moderation API)
- Issues already disclosed in this Hall of Fame
Severity & Rewards
| Severity | Example | Reward |
|---|---|---|
| Critical | Drain pool, steal stakes, bypass ownership | Hall of Fame badge + Twitter shoutout + 50 USDC mainnet credit |
| High | Bypass capture economics or epoch logic | "HIGH HUNTER" badge + 20 USDC mainnet credit |
| Medium | Achievement calc wrong, moderation bypass | "BUG HUNTER" badge + 5 USDC mainnet credit |
| Low | UI deception, broken invariants in display | Public acknowledgement |
All rewards paid in real USDC after mainnet launch (no monetary reward during testnet). Until then, badges are earned and tracked.
How to Report
- Email: stakewar@proton.me
- PGP-encrypted email available on request
- Provide: clear PoC, expected vs actual behavior, severity assessment
- 90-day responsible disclosure — we’ll fix and credit you
DO NOT disclose publicly before fix is deployed. We will work with you to coordinate disclosure timing.
Hall of Fame
No reports yet — be the first. Confirmed hunters and the bugs they found will be listed here.