ParagonsDAO -
Bug Bounty

Participate in ParagonsDAO’s Projects – Bug Bounty Program

Bug Bounty Overview

ParagonsDAO is a community of gamers and investors bridging gaps across traditional gaming, web3 gaming, and decentralized finance (DeFi). Through ParagonsDAO Token ($PDT), you can share in the success of ParagonsDAO (and our game/business partners) through ownership and direction of our Treasury, revenue streams, community, proprietary DeFi solutions and much more!

Scope

In cases of repeatable attacks for smart contract bugs, only the first attack will be counted, regardless of whether the smart contract is upgradable, pausable, or killable.

Vulnerabilities found in other bug bounty platforms for ParagonsDAO will not be valid in Hashlock’s Bug Bounty.

In Scope

This bounty program is limited high impact threats to the ParagonsDAO staking contract, which has been implemented on Base here.

Out of scope

– Impacts that have been previously reported to ParagonsDAO outside of this bug bounty program, with sufficient evidence provided to Hashlock

– Impacts requiring attacks that the reporter has already exploited themselves, leading to damage

– Impacts caused by attacks requiring access to leaked keys/credentials

– Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible

– Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production

– Best practice recommendations

– Feature requests

– Impacts on test files and configuration files unless stated otherwise in the bug bounty program

– Incorrect data supplied by third party oracles: Not to exclude oracle manipulation/flash loan attacks Impacts requiring basic economic and governance attacks (e.g. 51% attack)

– Lack of liquidity impacts

– Impacts from Sybil attacks

– Impacts involving centralization risks

– Best practice recommendations

Reward Payment Terms

Payouts are handled by the ParagonsDAO team directly and are denominated in USD. However, payments are done in USDC.

This bug bounty only rewards high severity bug submissions. A bug is considered high severity if it causes the following;

– Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

– Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

– Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties

– Permanent freezing of funds, or protocol insolvency. 


All submissions must include a POC, showing all impacts of the vulnerability.

Disclosure

Refrain from publishing or releasing any vulnerabilities, even resolved ones, outside of this Program without the projects consent.
You must not be a minor in your jurisdiction of residence, and you must not be employed by a company that does not allow you to participate.
Rewards will be sent via an agreement between the project and the individual directly.

Resources

All code of ParagonsDAO can be found at github. Documentation for the assets provided in the table can be found at ParagonsDAO Docs.

Non Hashlock Audits:

– Zellic audit here

9th Sept 2024

Live since

Yes

KYC Required?

$20,000

Maximum Bounty

18th December 2023

Last Updated

Audits Lists

Audit Name

Progress

Security Rating

Languages

Date of Audit

Audit Report

Audit Name

ParagonsDAO Smart Contract Audit Report

Progress
Security Rating

Hashlocked

Languages

Solidity

Last Audit

July 2024

Submit a Bug

To submit a bug, please email: bug@hashlock.com.au

In your submission, you must include the following details for it to be valid;

  1. Full name
  2. Address
  3. Country
  4. A link to a private proof of concept (POC)
  5. Detailed explanations of the bug finding
  6. Your proposed severity level
  7. Your ethereum wallet address

You must be willing and able to provide your identity and the POC over video call with the project leads.