A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | BUG BOUNTY | ||||||||||||||||||||||||||||
2 | |||||||||||||||||||||||||||||
3 | To Be Completed by Registrant | To Be Completed by Coinvest Community Manager | Updated on 1/29 | ||||||||||||||||||||||||||
4 | |||||||||||||||||||||||||||||
5 | Timestamp | What is your email address? | Please assign your assessment of the severity? (Will be validated by the Coinvest development team) | Please describe the issue / bug. | Please provide your ETH wallet address. | Severity as Deemed by Coinvest (Low / Medium / High / Critical) | Notes | Total Stakes | |||||||||||||||||||||
6 | 12/3/2017 11:21:01 | bitkolik2@gmail.com | Medium | Contracts/Token/CoinvestToken.sol (False) uint public constant decimals = 18; (True) uint8 public constant decimals = 18; (Source) https://theethereum.wiki/w/index.php/ERC20_Token_Standard | 0xB7B8CE6E22db8674D047614F63bA0B13A8d062e3 | Low | Uint8 is a bit more explicit than Uint but this affects nothing (may make it a bit less efficient actually). | 100 | |||||||||||||||||||||
7 | 12/14/2017 20:04:27 | henry.ericson.1978@gmail.com | Low | Line 83 of CoinvestToken.sol: Gas requirement of function CoinvestToken.name() unknown or not constant. If the gas requirement is higher than the block gas limit, it cannot be executed. Please avoid loops in your functions or actions that modify large areas of storage. | 0x020F087aa167FE27747E2082E730389b5BCeEE50 | Invalid | CoinvestToken.sol does not contain the referenced line or function. | n/a | |||||||||||||||||||||
8 | 12/14/2017 20:10:26 | henry.ericson.1978@gmail.com | Low | Line 24 of SafeMath.sol: There is an assertion failure when a = 0 and b = 1. | 0x020F087aa167FE27747E2082E730389b5BCeEE50 | Invalid | The explicit purpose of SafeMath is to error in this case. | n/a | |||||||||||||||||||||
9 | 1/24/2018 1:49:31 | itsreitz@gmail.com | Medium | Spelling Error on your Telegram Post and Pinned Message - Submitted to and verified by Oleg @ Coinvest | 0x325442bA2cEE41D9eBdE18962cA6dAD9EaB0E0c8 | Invalid | This bounty is for items related to our Coinvest smart contracts. | n/a | |||||||||||||||||||||
10 | 1/26/2018 15:00:55 | donnie.darko.jr@gmail.com | Critical | You can see the details in doc link below https://docs.google.com/document/d/12Y5h1Kvypsg0LoXixJmYAN5TIyxw9Fn2tORBt9Acvq0/ | 0x6e453d404669fA4b1064C898cea3105f662C85e5 | Invalid | This bounty is for items related to our Coinvest smart contracts. | n/a | |||||||||||||||||||||
11 | 1/26/2018 19:08:19 | bitkolik2@gmail.com | High | Contracts/Token/CoinvestToken.sol (False) uint256 _totalSupply = 133928571 * (10 ** 18); Total supply should be 107142857 according to the whitepaper... (Source) Whitepaper https://docs.google.com/document/d/1ePI50Vd9MGdkPnH0KdVuhTOOSiqmnE7WteGDtG10GuE/edit?usp=sharing | 0xB7B8CE6E22db8674D047614F63bA0B13A8d062e3 | Low | Math calcultion error | 100 | |||||||||||||||||||||
12 | 1/27/2018 20:54:41 | ilhamjay44@gmail.com | Critical | it is better to use an anonymous and untracked blockchain xmr method when transacting, by combining the properties of bitcoins that are easy to trace while transacting. you may use both of them for your consumer's purposes, for a bank's consumer it may be appropriate to use the blockchain character of bitcoin to leave evidence of transfer, and for a consumer who wants anonymous identity suitable for using blockchain monero or xmr. hopefully coinvest more advanced | 0x3A32196C114A1C0680b753B5Cf98A4Abd6877C97 | Invalid | Anonymity is great for users but smart contracts cannot currently be written on Monero. With the implementation of zk-snarks on Ethereum this is a possibility in the future but not a feature we are currently pursuing. | n/a | |||||||||||||||||||||
13 | 1/29/2018 12:16:50 | badboi1@live.de | Low | Website is vulnerable for a "clickjacking attack", because no X-Frame-Options header was returned from the server. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never wanted to click on. | 0x4C8c4E09E6F281A2372355b6b4785Bace328047A | Invalid | This bounty is for items related to our Coinvest smart contracts. | n/a | |||||||||||||||||||||
14 | 2/4/2018 10:56:42 | anupthapa1424@gmail.com | Low | Your page does not contain any H1 headings. H1 headings help indicate the important topics of your page to search engines. While less important than good meta-titles and descriptions, H1 headings may still help define the topic of your page to search engines. | 0x0aAADF11436fC3606AD253667C03226fe0B545A0 | Invalid | This bounty is for items related to our Coinvest smart contracts. | ||||||||||||||||||||||
15 | 2/4/2018 12:00:07 | i.kopestpanda@gmail.com | Critical | Dear Coinvest team, I am writing you concerning research I have made regarding the security level of the code available on your repository. I hereby hope the material I can provide can be of any help to you and your project. The main issue I would like to point out is found in the Investment contract. The Invest() function contains a high number of arithmetic and boolean operations. Those operations used in the context of smart contracts could result in unpredictable behavior in the case of a mutated instance of a smart contract in the EVM. This can be particularly impactful since the primary activity is investing. I have found an open issue on the Solidity repository addressing this topic : https://github.com/ethereum/solidity/issues/1172 It points out that there is currently no existing framework that can allow developers to ensure mutation resiliency since the Solidity compiler cannot produce bytecode including mutated primitives and operations for the EVM. Full-proof mutation testing would ensure that at least one of the unitary tests targetting the Invest() function detects each possible mutation. This could guarantee high robustness and security since the arithmetic mutations could not result in erroneous transactions in the distributed consensus. As this article mentions (cf section "Solidity") : https://blog.ethereum.org/2017/07/08/roundup_q2/ There exists a new feature that allows one to export the full AST with type annotations. Unfortunately, mutating and reintegrating it is currently not natively implemented. Therefore, it is still impossible to guarantee mutation resiliency with an existing tool. I have researched for such tool/framework for solidity, but have not found any relevant solutions. Therefore, the current state of development of EVM and Solidity would not enable mutation testing for the Invest() function as such. I do not know the exact nature of your testing process, but I have worked on mutation testing in the past and I think I could provide you an "educated advice", or at least a little educated. In the following document : http://www.inf.ed.ac.uk/teaching/courses/st/2011-12/Resource-folder/09_mutation.pdf It is stated that this kind of testing can be performed to mitigate effects of bytecode transformations as mentioned above. Since production of mutants would require for your team to either wait for or develop a mutation parser and generator yourself, I believe it would be more cost-efficient for your team to focus on workarounds that provide the closest equivalents. For that matter, I would suggest a simple modification in the Invest() function, and more generally in the entire code itself that could help increase the robustness of your contracts. Since mutations that effectively infect a program strongly disrupt the code areas that perform arithmetic operations or boolean comparisons (==, +, /, <, <=, ...), there is a higher chance of capturing defects by adding very frequent assertions. For example, at line 93 of Investment.sol, there is an additive iteration for the investAmount variable. It could improve the security level of the program to assert that after each addition the variable value does actually correspond to the amount s.t. in case the "+=" has mutated to "=" or anything else, the disruption is detected and the function can handle it. I hope that I have been able to help you in any way, and that your project continues on it's good way. Best regards, Igor Kopestenski | 0x626b2A247513A2f335e642C0F711E312482beDB9 | ||||||||||||||||||||||||
16 | 2/8/2018 3:21:16 | anupthapa1424@gmail.com | Low | Anup Thapa: Your page does not contain any H1 headings. H1 headings help indicate the important topics of your page to search engines. While less important than good meta-titles and descriptions, H1 headings may still help define the topic of your page to search engines. | 0x0aAADF11436fC3606AD253667C03226fe0B545A0 | Invalid | This bounty is for items related to our Coinvest smart contracts. | ||||||||||||||||||||||
17 | 2/8/2018 3:36:57 | pramodniroula321@gmail.com | Low | In the website, Website FireWall not setup. It makes unsafe to user . | 0x8215c7c400878f6bc8F5F6Fa1D420d61a5313000 | Invalid | This bounty is for items related to our Coinvest smart contracts. | ||||||||||||||||||||||
18 | 2/20/2018 3:29:55 | rockysalvador03@gmail.com | High | No issue | 0x28BA1A96449476715ee27aca2023a23D0dE33fd4 | N/A | N/A | ||||||||||||||||||||||
19 | 1/30/2018 | Invalid | uint public constant decimals = 18; | Invalid | We've already dealt with this formatting. | n/a | |||||||||||||||||||||||
20 | 1/30/2018 | Invalid | 2. Use Safe math in transfer and transferFrom functions. | Invalid | A good suggestion but we're comfortable with the checks we're doing. | n/a | |||||||||||||||||||||||
21 | 1/30/2018 | Invalid | 3. if (msg.sender != oraclize_cbAddress()) throw; | Invalid | This falls under the category of "if it ain't broke don't fix it." It's deprecated but it continues to be the documented method for oraclize and we do not want to bring in risk by making changes. | n/a | |||||||||||||||||||||||
22 | 1/30/2018 | Invalid | 4. Consider avoiding the usage of "for" loop as iterating through the array of unknown size might consume all the gas provided (run out | Invalid | Good suggestion but we do not count this as a bug at the moment | n/a | |||||||||||||||||||||||
23 | |||||||||||||||||||||||||||||
24 | |||||||||||||||||||||||||||||
25 | |||||||||||||||||||||||||||||
26 | |||||||||||||||||||||||||||||
27 | |||||||||||||||||||||||||||||
28 | |||||||||||||||||||||||||||||
29 | |||||||||||||||||||||||||||||
30 | |||||||||||||||||||||||||||||
31 | |||||||||||||||||||||||||||||
32 | |||||||||||||||||||||||||||||
33 | |||||||||||||||||||||||||||||
34 | |||||||||||||||||||||||||||||
35 | |||||||||||||||||||||||||||||
36 | |||||||||||||||||||||||||||||
37 | |||||||||||||||||||||||||||||
38 | |||||||||||||||||||||||||||||
39 | |||||||||||||||||||||||||||||
40 | |||||||||||||||||||||||||||||
41 | |||||||||||||||||||||||||||||
42 | |||||||||||||||||||||||||||||
43 | |||||||||||||||||||||||||||||
44 | |||||||||||||||||||||||||||||
45 | |||||||||||||||||||||||||||||
46 | |||||||||||||||||||||||||||||
47 | |||||||||||||||||||||||||||||
48 | |||||||||||||||||||||||||||||
49 | |||||||||||||||||||||||||||||
50 | |||||||||||||||||||||||||||||
51 | |||||||||||||||||||||||||||||
52 | |||||||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||||
54 | |||||||||||||||||||||||||||||
55 | |||||||||||||||||||||||||||||
56 | |||||||||||||||||||||||||||||
57 | |||||||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||||
59 | |||||||||||||||||||||||||||||
60 | |||||||||||||||||||||||||||||
61 | |||||||||||||||||||||||||||||
62 | |||||||||||||||||||||||||||||
63 | |||||||||||||||||||||||||||||
64 | |||||||||||||||||||||||||||||
65 | |||||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||||
100 |