On May 9th, I submitted a critical bug bounty to Chain via Immunefi, who offers up to 5m USD for criticals with "a minimum reward of USD 150 000." Chain immediately said that the repository I submitted a bug for was inactive (despite having merged a bug fix commit about a week ago), yet "this was in scope at time of submission we are still going to honor it upon verifying the details". While that did mean I wouldn't be able to claim 5m USD, due to the lack of impact, it should've still been worth 150k.
A couple of weeks go by and... nothing. Chain said they'd respond in 96 hours and just walked off. Immunefi automatically re-subscribed, as Chain was in breach of their resolution time frame, and got Chain to respond!
"Because this impact does not have any significance to any users, there is no business impact on this matter. We apologize for the delayed response but this needed to be thoroughly reviewed.
We will award you $10,000."
"Veda99646 (Chain) changed severity from Critical to Informational"
"Out of scope but paying"
How can you say you'll honor something as in scope, just to later say it's out of scope? Since when is a double spend, with proof of concept, solely informational? It was so outrageous I reached out to Immunefi, the arbitrators, because surely this in violation of not only their posted bug bounty, yet easily shown to be Chain lying in an attempt to keep their funds.
"We believe that there is no impact as the development and support for https://github.com/chain/chain/ has ended and it is now archived and therefore no users are at risk. Project agreed that it was wrong of them to include this repository in in-scope section, so we think that the payout offered by the project is fair."
Immunefi acknowledged the repo was in-scope, didn't contest this was a critical vulnerability on the repo, yet 'company made a mistake and apologized so now you don't get paid'. Also, it wasn't archived. There was no notice on the GH repository, nor in the README, which I did point out.
Immunefi came back with a commit adding an archival notice from a few years ago (a commit which I'd assume was provided by Chain). Funnily enough, they didn't also come back with the commit deleting the archival notice from last year. While Chain has since archived the repository, and removed the last traces of Chain Core from their site (as I pointed those out to Immunefi) the Wayback Machine doesn't lie, and I have all of it saved.
With their response though, they did say the following:
"It was listed as in scope on Immunefi, with "Blockchain/DLT" explicitly marked as having a critical bug bounty"
this is correct, both Immunefi and the project never said otherwise.
How can Immunefi fully acknowledge it's in scope, with a critical bug bounty, have no one be contesting the bug's existence, and say it's not eligible for a critical bug bounty? On what planet does any of this make sense?
After responding yet again, they then didn't respond for weeks, despite following up, until I said I planned to publicly disclose this (as allowed), at which point they finally said said disclosure would cause them to void the offer for 10k.
Well. Here's my disclosure. If you use Chain Core, there's a trivial double spend possible, allowing exponentially minting funds. They don't properly check you can't spend the same coins multiple times in a single transaction. Chain has claimed they have such no clients, yet if you, or your company, does use this (notably with an active B2B contract with Chain), PLEASE SPEAK UP. I'd also like to disclose Chain is a company which lies in their bug bounty process, and disclose Immunefi won't hesitate to side with corporations, even while they actively acknowledge the corporation is at fault, to deprive legitimate disclosures their advertised payouts. I no longer believe Immunefi can be effective arbitrators and will not recommend them in the future.
As one final question, what even is $XCN? It's #34, with a blog post from months ago saying it partnered with Alameda to be their "market maker". It's a basic token with what appears to be an unattributed fork of MasterChef from Sushiswap, along with some basic governance contract? Is it just the latest VC PnD using a company from 7 years ago to give it notoriety?
[link] [comments]
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments