Alloy ICO Bug Bounty
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOP
1
TimestampEmail AddressBitcointalk UsernameBug SourceBug NameBug DescriptionGithub Issue / Bug LinkPrioritySteps to ReproduceYour ETH AddressStatusCommentBounty
2
9/29/2017 18:45:50myself@danielkelly.medafky2000WebsiteNo verification on dashboard -> account fieldsNo verification done on BTT Username, Ethereum and Bitcoin addresses, accepts invalid characters and invalid addresses

https://imgur.com/TK8fFlG
https://pastebin.com/18SZ1QenSuggestion / FeedbackEnter any invalid characters and hit update.0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved50
3
9/29/2017 18:47:31myself@danielkelly.medafky2000WebsiteCannot remove Dashboard -> Account field dataAccount details cannot be removed if found to be invalidhttps://pastebin.com/18SZ1QenSuggestion / FeedbackClear the field and hit update, the old value persists0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved50
4
9/29/2017 18:48:59myself@danielkelly.medafky2000WebsiteCookies not using secure flagsThey are transmitted unencrypted because the Secure flag wasn't used. For example, the PHPSESSID session cookie can be hijacked. ini_set("session.cookie_secure", 1);https://pastebin.com/18SZ1QenSuggestion / FeedbackN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved100
5
9/29/2017 18:50:24myself@danielkelly.medafky2000WebsiteX-Frame-Options is not setClickjacking vulnerability on *.rewards.network

This is SERIOUS front-end vulnerability.

It means that the website could be embedded in an iframe. With a 0% opacity, the user might not think he is clicking or typing on the website. This might lead to password change, funds withdrawal etc.

To fix it, simply add the following header: X-Frame-Options: SAMEORIGIN

For more information see : https://www.owasp.org/index.php/Clickjacking
https://pastebin.com/18SZ1QenCriticalN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved
Will be considered as MEDIUM
1500
6
9/29/2017 18:51:27myself@danielkelly.medafky2000WebsiteNewsletter subscription spamCan bypass newsletter subscriptions by accessing https://alloy.rewards.network/subscribe?email=user@host.com directly.

Subscription also allows multiple submissions of the same email address, refreshing this url is an easy way to get your servers marked as spam and blacklisted. Simply record who's already been sent newsletters and fail on subsequent tries.
https://pastebin.com/18SZ1QenMediumN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved
Will be considered as LOW
1000
7
9/29/2017 18:52:25myself@danielkelly.medafky2000WebsiteStrict-Transport-Security: HSTS not setfuture proofing against MITMhttps://pastebin.com/18SZ1QenLowN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved500
8
9/29/2017 18:53:34myself@danielkelly.medafky2000WebsiteX-XSS-Protection header is not setfuture proofing against XSShttps://pastebin.com/18SZ1QenLowN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved500
9
9/29/2017 18:54:34myself@danielkelly.medafky2000Smart ContractStandardToken.sol -> violates ERC-20 standard (not critical)https://github.com/OpenZeppelin/zeppelin-solidity/issues/438
https://github.com/SylTi/zeppelin-solidity/commit/d74b10adcd3fbb2ab3db7e41d6873bbc8a619e57
https://pastebin.com/18SZ1QenLowN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved650
10
9/29/2017 18:55:22myself@danielkelly.medafky2000Smart ContractMintableToken.sol -> Token transfers on minted tokens from crowdsale contract will not appear on EtherScan as token transfershttps://github.com/OpenZeppelin/zeppelin-solidity/issues/433
https://github.com/OpenZeppelin/zeppelin-solidity/pull/345/files#diff-b325b8c2471f700034909594251cd896
https://pastebin.com/18SZ1QenMediumN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved2500
11
9/29/2017 18:56:40myself@danielkelly.medafky2000Smart ContractSafeMath.sol -> Revert/require instead of assert/throw. Saves fees if failures and follows the ERC20 definitions.https://github.com/OpenZeppelin/zeppelin-solidity/issues/435
https://github.com/nedodn/zeppelin-solidity/commit/06e8de46571c662dc189205f6f204e9daf41986b

The more preferred method would be something like below.

function sub(uint256 a, uint256 b) internal constant returns (uint256) {
- assert(b <= a);
+ require(b <= a);
return a - b;
}
https://pastebin.com/18SZ1QenLowN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved400
12
9/29/2017 18:58:03myself@danielkelly.medafky2000Smart ContractAlloyCrowdsale.sol -> In the spirit of keeping the crowdsale trustless, don't allow the hardcap to be increased./**
* Lets the owner set the Hardcap for the sale based on the balance from the previous sale
*/
function setHardCap(uint256 _cap) public onlyOwner {
+ // Don't allow owner to increase hard cap or change the hard cap after the ICO has ended
+ require(hasEnded() == false);
+ require(_cap < cap);
cap = _cap;
}
https://pastebin.com/18SZ1QenSuggestion / FeedbackN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fApproved100
13
9/29/2017 19:01:27myself@danielkelly.medafky2000Smart ContractnextSpecialBonus is redundant and wastes gasThe function is duplicated/redundant by getBonusSlab :)https://github.com/codemojo-dr/Alloy-ICO-Contracts/pull/2/commits/34c74b9e32aa8a7efcc69c34ad41842b53d5d81dImprovementN/A0x00e8c2f1E2a359F7295430Ee81a67BBbe46CfE6fN/A
Both are functions for different purposes
0
14
9/30/2017 11:15:07pflashispunk@gmail.comWebsiteemail enumerationEnumeration of email addresses of already registered users is possible, and or, checking if a user with specific email address is registered in the website and will then be used for phising attacks or any malicious intent.https://alloy.rewards.network/password/resetMedium
1) open https://alloy.rewards.network/password/reset
2) type a email to check whether email is registered or not.
3) if email is not registered you'll get a message " We can't find a user with that e-mail address."
4) if email is registered you'll get a message "We have e-mailed your password reset link!"
0x758423cB715492C8E269C7Ec46159F2f71737224ApprovedWill be considered Low700
15
9/30/2017 18:44:59pauliax6@gmail.comSmart ContractAdd keyword "constant" to the variables that do not change their valuesReading from a const variable doesn't cost any gas so this would save you some moneyhttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/3Suggestion / FeedbackPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1Approved150
16
9/30/2017 18:47:16pauliax6@gmail.comSmart ContractFunctions visibilityExplicitly mark visibility of the function to save some gashttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/4Suggestion / FeedbackPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1Approved200
17
9/30/2017 18:49:11pauliax6@gmail.comSmart ContractTimestamp usageTimestamps can be manipulated by the minershttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/5LowPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1
Awaiting response from the reported on the Issue
18
9/30/2017 18:51:19pauliax6@gmail.comSmart ContractUnused functionsThere are unused functions in SafeMath.sol. It will cost less gas to deploy the contract without it.https://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/6Suggestion / FeedbackPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1N/AThese are not unused0
19
9/30/2017 18:54:02pauliax6@gmail.comSmart ContractUnused parameterParameter in function transferableTokens is not usedhttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/7Suggestion / FeedbackPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1N/A
This is overriden in another contract with both the values passed
0
20
9/30/2017 18:57:19pauliax6@gmail.comSmart ContractCode duplicationConsider reusing functionality of Ownable.sol to improve code's maintainabilityhttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/8Suggestion / FeedbackPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1Approved250
21
9/30/2017 19:00:23pauliax6@gmail.comSmart ContractMethod Approve is vulnerablehttps://docs.google.com/document/d/1YLPtQxZu1UAvO9cZ1O2RPXBbT0mooh4DYKjA_jp-RLM/edit#heading=h.m9fhqynw2xvthttps://github.com/codemojo-dr/Alloy-ICO-Contracts/issues/9LowPlease read the description on the issue0xaAbf60384137D460427fD5B849017e59479797A1N/A
Latest patch from Zeppelin negates this for ERC20 compliance
0
22
10/6/2017 17:02:38st2000@outlook.comFruitsBasketWebsiteSpam signup
There are bots that can make fake account with fake emails so fast that there will be so many more fake accounts than real accounts.
https://alloy.rewards.network
LowBot signup
0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527
Approved700
23
10/6/2017 17:04:34st2000@outlook.comFruitsBasketWebsiteSpam Password Reset
You can simply spam anyones email with the password reset function, just buy a vps and install macro bot, or write a simple autobot script that will submit an email in the password reset field and hit submit and do this over and over again all day long.
https://alloy.rewards.network
LowRead description
0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527
Approved1000
24
10/6/2017 17:15:43st2000@outlook.comFruitsBasketWebsiteDDOS
DDOS Protection Required
https://alloy.rewards.network
LowDDOS
0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527
Approved
Protected by AWS Shield
200
25
10/7/2017 7:21:38
pflashispunk@gmail.com
WebsiteRate limit
As there is no rate limit set,an attacker can successfully perform brute force/huge email bombing/cookie bombing/email spoofing on the victim's account.
https://alloy.rewards.network/login
Medium
->No rate limit has been set for login form
->As there is no rate limit set,an attacker can successfully perform brute force/huge email bombing/cookie bombing/email spoofing on the victim's account.
0x758423cB715492C8E269C7Ec46159F2f71737224
Approved
Throttling of Login was already present but with no Visual clues. Visual message has been added in this effect.
100
26
10/7/2017 7:25:55
pflashispunk@gmail.com
Website
Form Password Field with Autocomplete Enabled
form that included a password input field. The autocomplete attribute was not set to off. This may result in some browsers storing values input by users locally, where they may be retrieved by third parties.
https://alloy.rewards.network/login
Medium
A password value may be stored on the local filesystem of the client.
Locally stored passwords could be retrieved by other users or malicious code.
0x758423cB715492C8E269C7Ec46159F2f71737224
N/A
User's privilege & convinence. Many popular browsers allow users to save the Login credentials. How and where the creds are stored by the browser is a different topic altogether
0
27
10/7/2017 7:28:18
pflashispunk@gmail.com
Website
Cookie HttpOnly Flag Not Set
cookie was set without the HttpOnly flag. When this flag is not present, it is possible to access the cookie via client-side script code. The HttpOnly flag is a security measure that can help mitigate the risk of cross-site scripting attacks that target session cookies of the victim. If the HttpOnly flag is set and the browser supports this feature, attacker-supplied script code will not be able to access the cookie.
https://alloy.rewards.network
Medium...
0x758423cB715492C8E269C7Ec46159F2f71737224
N/ADuplicate of #40
28
10/7/2017 12:15:44st2000@outlook.comFruitsBasketWebsite
Missing HTTP security headers: X-Content-Type-Options is not set
The HTTP X-Content-Type-Options header is addressed to Internet Explorer browser and prevents it from reinterpreting the content of a web page (MIME-sniffing) and thus overriding the value of the Content-Type header). Lack of this header could lead to attacks such as Cross-Site Scripting or phishing.
Alloy.rewards.networkLow
I recommend setting the X-Content-Type-Options header to "X-Content-Type-Options: nosniff".
0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527
Accepted100
29
10/7/2017 12:11:45st2000@outlook.comFruitsBasketWebsite
HTTP Security Header: Strict-Transport-Security is not set.
The HTTP Strict-Transport-Security header instructs the browser not to load the website via plain HTTP connection but always use HTTPS. Lack of this header exposes the application users to the risk of data theft or unauthorized modification in case the attacker implements a man-in-the-middle attack and intercepts the communication between the user and the server.
Alloy.rewards.networkLow
I recommend setting the Strict-Transport-Security header.
0xdd30dd6fbaae31ffc01c08e2392f76c0459c8527
N/ADuplicate of #70
30
10/9/2017 8:12:18bitkolik@gmail.combitkolikSmart Contractpossible bugs and fixesin github.
https://github.com/RequestNetwork/RequestTokenSale/issues/7
Criticalxxx
0x7bd81F41D03135D366F942dEF3B1479B49113C07
N/A0
31
10/9/2017 9:30:55bitkolik@gmail.combitkolikSmart Contracttypo fault
check pls.

https://github.com/codemojo-dr/Alloy-ICO-Contracts/blob/master/contracts/crowdsale/Crowdsale.sol

"Gets the Human readable progress for the current crowsale"

"crowsale" is false... it must be "crowdsale"
read bug descriptionLowread bug description
0x7bd81F41D03135D366F942dEF3B1479B49113C07
N/A0
32
10/11/2017 12:15:43
pflashispunk@gmail.com
Websitefb / twitter connect
After connecting fb/twitter you can remove the app of alloy from fb and twitter setting. But in site it will still show connected & number of alloy's including fb/ twitter bounty.
https://alloy.rewards.network/facebook-bounty
Medium
connect ffb/twitter then remove it.
0xe477292f1b3268687a29376116b0ed27a9c76170
N/A
This is by design. Anyone participating in the bounty, if they unlink the accounts, wont be eligible. The Pending ALLOYs will be rechecked against the connection status before being issued.
0
33
34
10750
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...