Announcing C3's Bug Bounty Program

In the rapidly evolving world of cryptocurrency, security remains a paramount concern. Recognizing this, C3, a revolutionary self-custodial exchange, has launched an ambitious Bug Bounty Program. Starting from 28.11.2023, the program offers a substantial reward of up to $100,000, aimed at fortifying the platform against potential vulnerabilities. This initiative marks a significant step in C3's commitment to providing a secure, transparent, and trustless trading environment.

C3 Exchange: A Glimpse into the Future

C3 stands out as a next-generation exchange that combines the functionalities of traditional trading platforms with the benefits of decentralized exchanges. It offers instant execution, high throughput, comprehensive API support, and advanced order types, catering to a diverse range of blockchain networks. What sets C3 apart is its ability to deliver these services without the typical trade-offs, ensuring an optimal trading experience for its users.

Program Highlights

• KYC Requirements: While the program does not require KYC, C3 upholds strict compliance with OFAC sanctions and the SDN list. Therefore, winners must be KYCed to claim bounty award.
• Reward Structure: Rewards are paid in USDC and are determined by the severity of the reported vulnerability, in alignment with the Immunefi Vulnerability Severity Classification System V2.3.
• Responsible Publication: C3 adheres to a 'category 3 Approval Needed' policy, ensuring responsible disclosure of vulnerabilities.

Focusing on Impact

The program emphasizes the 'Primacy of Impact' over 'Primacy of Rules', encouraging researchers to report all bugs that have a significant impact, regardless of the specific assets involved. This approach is intended to foster a broader and more effective security assessment of the platform.

Proof of Concept and Known Issue Assurance

All submissions must include a Proof of Concept (PoC) as per the Immunefi PoC Guidelines. C3 also provides Known Issue Assurance, ensuring either public or private disclosure of known issues to facilitate a more objective and streamlined mediation process.

Rewards by Threat Level

• Critical Smart Contract Bugs: 10% of the funds directly affected, up to a maximum of $100,000.
• High-Level Reports: Consideration of the full amount of funds at risk, with specific conditions for temporary freezing of assets.

Accepted Impacts in C3 Bug Bounty Program

Here are the cybersecurity threats rephrased into readable bullet points, maintaining the original information:

• Critical Severity:
  • Executing arbitrary system commands.
  • Retrieving sensitive data or files from a running server, including /etc/shadow, database passwords, and blockchain keys (excluding non-sensitive environment variables, open source code, or usernames), and actions leading to the shutdown of applications or websites.
  • Performing state-modifying authenticated actions on behalf of users without their interaction, such as changing registration information, commenting, voting, trading, and withdrawals.
  • Subdomain takeover involving interaction with an already-connected wallet.
  • Direct theft of user funds.
  • Malicious interactions with an already-connected wallet, including modifying transaction arguments or parameters, substituting contract addresses, and submitting malicious transactions.
• High Severity:
  • Injection of malicious HTML or executing cross-site scripting (XSS) through metadata.
  • Injecting or modifying static content on the target application persistently without JavaScript, such as HTML injection without JavaScript, replacing existing text with arbitrary text, and arbitrary file uploads.
  • Changing sensitive details of other users, including browser local storage, without wallet interaction but requiring up to one click of user interaction (e.g., email, password).
  • Improper disclosure of confidential user information, like email addresses, phone numbers, and physical addresses.
  • Subdomain takeover without interaction with an already-connected wallet.
• Medium Severity:
  • Changing non-sensitive details of other users, including browser local storage, without wallet interaction and requiring minimal user interaction, like changing names or toggling notifications.
  • Injecting or modifying static content on the target application without JavaScript reflectively, such as reflected HTML injection and loading external site data.
  • Redirecting users to malicious websites (open redirect).
• Low Severity:
  • Changing details of other users, including modifying browser local storage, without wallet interaction and requiring significant user interaction, such as use of iframes leading to modifications in backend/browser state (proof of concept required).
  • Taking over broken or expired outgoing links, like social media handles.
  • Temporarily disabling user access to the target site, such as login lockouts or cookie bombing.

Feasibility Limitations and Repeatable Attack Limitations

The program acknowledges the real-world feasibility of executing certain attacks and has established standards to address these concerns. Additionally, limitations are set for repeatable attacks on smart contracts, with specific criteria for upgraded, paused, or killed contracts.

Adherence to Immunefi Standards

C3 has earned the Immunefi Badge, signifying its adherence to the best practice recommendations set forth by Immunefi.

Closing Thoughts

The C3 Bug Bounty Program represents a proactive approach to safeguarding the cryptocurrency trading environment. By incentivizing the discovery and responsible disclosure of vulnerabilities, C3 is not just enhancing its own platform's security but is also contributing to the broader stability and reliability of the crypto ecosystem.

For those interested in participating or learning more about the specifics of the program, including the detailed reward structure and the scope of acceptable impacts, please visit C3’s official bug bounty page.