« Back
Ongoing

2023-DoraHacks Bug Bounty

331 days left

2023/01/03-2023/12/31

Participate

1500 USDC

...

  • Security / Bug Hunting
  • DoraHacks
Details

Program Overview

DoraHacks is a global hacker movement and the world’s most active multi-chain Web3 developer incentive platform.

The platform offers hackathons, bounty, quadratic funding, privacy voting, and other community governance/funding toolkits. In addition, over 40 major Web3 ecosystems are currently using Dora infrastructures to fund their open source communities.

More than 2000 projects from the DoraHacks community have received over $21.5 million in grants and hackathon prizes.

For more information about DoraHacks, please visit https://dorahacks.io

Reward by Threat Level

All bug reports must come with a Proof of Concept (PoC) with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Payouts are handled by the Dorahacks team directly and are denominated in USDC

  • Submit Form

    • Goole Docs
  • Threat Level

    • Critical, 300$
    • High, 200$
    • Medium, 100$

No Real Attack

No Real Attack to the website, or we won’t provider any bounty reward

Impacts in scope

Smart Contract

  • Critical
    • Direct theft of any user funds
    • Permanent freezing of funds
    • Break the Logic to change the user value, e.g. Vote record, Stakcing Value

Websites and Applications

  • Critical

    • Direct theft of any user funds
  • High

    • Take Over User Account
    • Change Website date without admin permission
  • Medium

    • Change User Data without login
    • Website display or busniess logic error
  • Ignore

    • Theoretical vulnerabilities without any proof or demonstration
    • DDos Attack
    • Attacks requiring physical access to the victim device
    • Reflected plain text injection eg: url parameters, path, etc.
      • This does not exclude reflected HTML injection with or without javascript
      • This does not exclude persistent plain text injection

Assets in scope

Contract-Qf-Grant

https://github.com/dorahacksglobal/qf-grant-contract

Contract-DoraStacking

https://github.com/dorahacksglobal/vc-dora-contract

Website-Buidls, Grant, Bounty, Hackathon

https://dorahacks.io/

Website-Stacking for voters

https://dao.dorahacks.io/

Activities
  • DoraHacksBugBounty created the bounty on 2023/01/03 09:46:41
    Transaction
    0x877f...3ffe

  • uf9vyahc participated on 2023/01/03 17:49:17

  • Abuchtela participated on 2023/01/03 20:06:17

  • phanhai93 participated on 2023/01/03 21:13:03

  • socheatta666 participated on 2023/01/04 08:42:59

  • waveboy800 participated on 2023/01/04 22:08:26

  • SB Mazharul participated on 2023/01/05 11:56:42

  • chiliaway participated on 2023/01/06 02:48:45

  • MrBrice participated on 2023/01/06 07:08:31

  • priyanshuparmar participated on 2023/01/06 23:35:51

  • priyanshuparmar submitted a solution on 2023/01/06 23:48:51
    Winner
    Description
    Title : No rate limit on invite user in organization I have identified that when a user being invited in organization, the request has no rate limit which then can be used to loop through one request. Which can be annoying to the invited users sending the mass invitation to one email.

  • <Anonymous> participated on 2023/01/08 00:35:54

  • Tamil-dev participated on 2023/01/08 14:16:25

  • Tamil-dev submitted a solution on 2023/01/08 14:46:16
    Description
    Hai Team, I found a vulnerability on https://dorahacks.io. Vulnerability name: IDOR

  • evilboyajay participated on 2023/01/11 00:29:35

  • evilboyajay submitted a solution on 2023/01/11 00:30:22
    Winner
    Description
    It has been discovered that the website dorahacks is vulnerable to email disclosure. This vulnerability allows an attacker to gain access to sensitive information, such as the email addresses of any registered users.

  • evilboyajay received 100.0000 USDC reward on 2023/01/11 00:39:28
    Transaction
    0x877f...3ffe

  • Tamil-dev submitted a solution on 2023/01/11 15:18:47
    Description
    It has been discovered that the website dorahacks is vulnerable to IDOR. This vulnerability allows an attacker to invite any members , without the permission of the organisation owner.

  • <Anonymous> participated on 2023/01/13 00:40:09

  • <Anonymous> participated on 2023/01/15 01:13:05

  • Boolbaredd participated on 2023/01/15 11:02:39

  • priyanshuparmar received 100.0000 USDC reward on 2023/01/19 18:03:26
    Transaction
    0x877f...3ffe

  • priyanshuparmar submitted a solution on 2023/01/24 00:32:30
    Description
    EXIF metadata not stripped from uploaded profile photo and organization logo Description: In dorahacks.io you can upload a profile picture and organization logo and if you upload a JPEG with EXIF metadata on it, it isn't stripped. This can lead to disclosure of location where photo was taken or other personal information by the photo uploader if their post is public and everyone can view the post . anyone can download the logo and check the metadata. As a result, anyone can get sensitive information of users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

  • Aacayipbaris87 participated on 2023/01/25 10:05:43

  • Aacayipbaris87 participated on 2023/01/25 10:41:56

  • ssss participated on 2023/01/27 16:40:16

  • samar19 participated on 2023/01/30 07:38:29

  • Ditya11 participated on 2023/01/30 22:53:58

  • Denny participated on 2023/01/30 23:02:12

  • Jukilboys participated on 2023/01/30 23:51:15

  • YFiN99 participated on 2023/01/31 02:31:02

helper