A. Summary
Crypto Unicorns is dedicated to the security and integrity of our systems. This program is intended to incentivize security researchers to identify and report vulnerabilities within the Crypto Unicorns ecosystem. We hope to invite ethical security hackers (aka White Hats) to scrutinize our contracts for exploits. In our commitment to digital security, we have meticulously analyzed the Security Bug Bounty landscape to develop a new, competitive reward system. Our remuneration system goes beyond monetary compensation, fostering a sense of recognition and respect for the invaluable contributions of these individuals. We are confident that our reward system is in par with market offerings, and we pledge to continually monitor and adjust it as necessary, ensuring it stays relevant to the ever-evolving security needs.
B. Scope
The security bug bounty program focuses on the following infrastructure:
Vulnerabilities in smart contracts
Web3 security issues
Authentication and authorization flaws
Infrastructure and network security issues
The security bug bounty program focuses on preventing the following:
Loss of funds (both user-end and project-end)
Loss of access to assets
Abnormal contract states and malfunctions
Damage to the brand’s and IP’s reputation
Other losses with significant economic, market, and brand implications
C. Assets in Scope
Unicorn Milk (UNIM) https://polygonscan.com/token/0x64060ab139feaae7f06ca4e63189d86adeb51691#code
Rainbow Token (RBW) https://polygonscan.com/token/0x431cd3c9ac9fc73644bf68bf5691f4b83f9e104f#code
Crypto Unicorns https://polygonscan.com/address/0xdC0479CC5BbA033B3e7De9F178607150B3AbCe1f#code
Crypto Unicorns Lands https://polygonscan.com/address/0xA2a13cE1824F3916fC84C65e559391fc6674e6e8#code
Crypto Unicorns Shadowcorns https://polygonscan.com/address/0xa7D50EE3D7485288107664cf758E877a0D351725#code
Crypto Unicorns Item Marketplace https://polygonscan.com/address/0x99A558BDBdE247C2B2716f0D4cFb0E246DFB697D#code
Game Bank https://polygonscan.com/address/0x94f557dDdb245b11d031F57BA7F2C4f28C4A203e#code
Staking v2 https://polygonscan.com/address/0x4942AfFDeCF26e3BbE43847F63660ab7bfA18136#code
RBWLP https://polygonscan.com/token/0x4843bc8c9537a9aad44b9e3398d3f3614034bfb9#code
Dropper https://polygonscan.com/address/0x6bc613A25aFe159b70610b64783cA51C9258b92e#code
Satellite Game Bank https://polygonscan.com/address/0x28597eA60030fBae79088d89d803f25143c7a6B5#code
D. Limitations
The following issues are considered out-of-scope and will not be eligible for rewards:
Vulnerabilities, issues, and malfunctions with no impact on security
Theoretical vulnerabilities without practical impact or proof-of-concept
Information disclosure with no to minimal impact on security (ex. directories, logs, etc)
Vulnerabilities limited to outdated or unpatched browsers
Social engineering attacks
Denial of service (ex. DoS, DDoS) attacks
Content spoofing or text injection issues
Vulnerabilities in third-party services that are not under our control
Internally-known issues, issues that have been made public, issues connected to a prior issue, lesser issues that exist in connection to greater issues, and/or duplicate issues
Vulnerabilities affecting assets that are not directly related with Crypto Unicorns
Vulnerabilities that require physical access to a user’s device to exploit
For reports that fall outside the scope of the Security Bug Bounty, please submit them through the Usability Bug Bounty Program on ZenDesk.
E. Rewards
Rewards for critical smart contract vulnerabilities is up to $200,000 USD depending on the severity. The assessment of severity takes into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself.
Rewards are allocated to the first researcher (the original reporter) to submit a verifiable report and is based on the severity of the vulnerability. The final reward amount will ultimately be determined by the Crypto Unicorns team at their discretion.
F. Reporting
To submit a valid security bug bounty report, please send an email with the following items to bounty@laguna.games:
Your contact details for further communication (i.e. name, email address, Telegram/Discord)
Description of the vulnerability
Complete proof-of-concept (PoC) and vulnerability type (step-by-step exploit procedure)
The IP address where the security flaw was first discovered, as well as the date and time of the discovery.
Archive of files that can help in reproducing the issue (screenshots, images, logs, source code, scripts, etc.)
A description of the potential impact should the vulnerability be exploited
A list of potential corrective or mitigating measures
Please ensure that each item on the list is checked off to ensure that your report gets tagged as the “original reporter’s”. As the checklist requires proof of concept and other documentations, qualitative descriptions are inadequate. The report must be complete and verifiable in order to qualify for monetary rewards.
G. Participation
By participating in the bug bounty program, you agree to:
Adhere to the program’s guidelines and report findings responsibly.
Maintain the confidentiality of any information regarding the vulnerabilities discovered until they are officially disclosed by the team
Follow responsible disclosure and give us ample time to address the vulnerability before disclosing it publicly
Refrain from downloading/extracting/crawling exposed data beyond what is required for proof-of-concept
Refrain from disruptive testing, such as denial-of-service (DoS) attacks, social engineering attacks, and other similar attacks
Refrain from attacking any vulnerability for personal gain
Refrain from causing any harm to the IP, its users, data, and all associated platforms
Comply with all applicable laws and regulations
H. Exclusions
This security bug bounty is open to everyone, with the exception of the following:
Anyone who discovered a security vulnerability and failed to report it, thereby putting the ecosystem and its users at risk
Anyone who exploited a security vulnerability for personal gain without reporting or prior to reporting
Anyone who shared information about the security vulnerability with other users without reporting or prior to reporting, thus encouraging its exploitation directly or indirectly
Any employee from the development teams/companies working on Crypto Unicorns
Any employee and team members of third party-partners and second-party developers operating in a technical capacity
Any team members from audit firms, its third-party partners, and its subsidiaries that audited for Crypto Unicorns