Bug Bounty
Last updated
Last updated
We are pleased to announce our bug bounty program and encourage everyone to participate by submitting vulnerabilities.
You can send your vulnerability information to , and our team will swiftly review and verify the reported issues. Alternatively, you can submit vulnerabilities on our partner's page at
We value your contribution to our platform's security and will be in contact with you promptly.
Low-risk
50 to 100 USDT
Medium-risk
100 to 500 USDT
High-risk
500 to 1000 USDT
Critical
1000 to 5000 USDT
Critical Vulnerabilities:
Critical vulnerabilities refer to the vulnerabilities that occur in core business systems (such as core control systems, domain controllers, business distribution systems, and bastion hosts) that manage a large number of systems. These vulnerabilities can have a wide-ranging impact, allowing unauthorized control of business systems (depending on the specific circumstances), obtaining administrative privileges of core systems, or even taking control of core systems. Examples of critical vulnerabilities include but are not limited to:
Controlling multiple devices within the internal network.
Obtaining super-administrator privileges of the backend, resulting in severe consequences such as leakage of critical enterprise data.
Smart contract overflow and race condition vulnerabilities.
High-risk Vulnerabilities:
Gaining system privileges (e.g., GetShell, command execution, etc.).
System SQL injection (backend vulnerability downgrading, bundled submissions prioritized based on discretion).
Unauthorized access to sensitive information, including bypassing authentication to directly access the management backend, weak passwords in critical backends, SSRF vulnerabilities that allow obtaining a large amount of sensitive internal network information, etc.
Arbitrary file reading.
XXE vulnerabilities, allowing access to any information.
Unauthorized transactions or bypassing payment logic involving funds (requires successful exploitation).
Severe logical and process design flaws, including but not limited to arbitrary user login vulnerabilities, bulk modification of arbitrary account passwords vulnerabilities, logical vulnerabilities related to critical business processes (excluding captcha cracking), etc.
Other vulnerabilities that have a wide-ranging impact on users, including but not limited to stored XSS vulnerabilities that can automatically propagate on important pages, stored XSS vulnerabilities that successfully exploit the authentication information of administrators, etc.
Extensive source code leakage.
Smart contract permission control flaws.
Medium-risk Vulnerabilities:
Vulnerabilities that affect users after interaction, including but not limited to stored XSS vulnerabilities, CSRF vulnerabilities related to core business processes, etc.
Parallel authorization operations, including but not limited to bypassing restrictions to modify user data or perform user operations.
Denial of Service (DoS) vulnerabilities, including but not limited to remote DoS vulnerabilities caused by DoS network applications.
Vulnerabilities caused by captcha logic flaws that allow successful brute-forcing of sensitive operations such as arbitrary account login or password retrieval.
Local leakage of sensitive authentication key information that can be effectively exploited.
Low-risk Vulnerabilities:
Local DoS vulnerabilities, including but not limited to client-side local DoS (crashes caused by parsing file formats, network protocols, etc.), issues caused by Android component permissions exposure, routine application access, etc.
Routine information leakage, including but not limited to web path traversal, system path traversal, directory browsing, etc.
XSS vulnerabilities (including DOM XSS/Reflected XSS).
Routine CSRF vulnerabilities.
URL redirection vulnerabilities.
SMS bombs, email bombs (only one type of such vulnerabilities accepted per system).
Other vulnerabilities with relatively low impact or inability to demonstrate harm (e.g., CORS vulnerabilities that do not allow access to sensitive information).
SSRF vulnerabilities that did not result in successful deep exploitation and did not return values.
Vulnerability Types Not Accepted (reported vulnerabilities will be ignored):
Email spoofing.
User enumeration vulnerabilities.
Self-XSS and HTML injection.
Webpage missing CSP and SRI security policies.
CSRF issues for non-sensitive operations.
Individual Android App issues such as android:allowBackup="true" or local denial of service (except those with deep exploitation).
Issues related to modifying image sizes causing slow requests, etc.
Leaked versions of Nginx or other software.
Functional issues that do not pose security risks.
Personal attacks on MUFEX employees or social engineering against MUFEX employees.
Arbitrum
HotTreasury: 0x763ecd00eEA0CDAECBDF97d88c3e0fd5457eE5A0
MainTreasury: 0x16BEDB2Ab2aEf9023ff2cbF0C78135cA120c03C6
DepositWalletFactory: 0xc8a3a6d43e8aa43187d7b7a1faef21e65acba43b
Polygon
HotTreasury: 0x763ecd00eEA0CDAECBDF97d88c3e0fd5457eE5A0
Low-risk
50 to 100 USDT
Medium-risk
100 to 500 USDT
High-risk
500 to 5000 USDT
Critical
5000 to 500000 USDT
Critical Vulnerabilities:
Any governance voting result manipulation
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Miner-extractable value (MEV)
Protocol insolvency
High-risk Vulnerabilities:
Theft of unclaimed yield
Theft of unclaimed royalties
Permanent freezing of unclaimed yield
Permanent freezing of unclaimed royalties
Temporary freezing of funds
Medium-risk Vulnerabilities:
Smart contract unable to operate due to lack of token funds
Block stuffing for profit
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Theft of gas
Unbounded gas consumption
Low-risk Vulnerabilities:
Contract fails to deliver promised returns, but doesn't lose value
Information Vulnerabilities:
Incorrect data supplied by third party oracles:
Not to exclude oracle manipulation/flash loan attacks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Lack of liquidity impacts
Impacts from Sybil attacks
Impacts involving centralization risks
Best practice recommendations
Sybil attacks
Vulnerabilities already reported and/or discovered in contracts built by third parties on MUFEX
Bugs in any third party contract or platform that interacts with MUFEX
Engaging in social engineering and/or participating in phishing activities.
Disclosing specific information about vulnerabilities.
Vulnerability testing is limited to Proof of Concept (PoC) only, and destructive testing is strictly prohibited. If any unintended harm occurs during the testing process, it should be promptly reported. Additionally, any deletions, modifications, or other sensitive operations conducted during testing must be clearly stated in the report.
For large-scale scanning, please use scanning tools. If the business system or network becomes unavailable due to scanning activities, appropriate actions will be taken in accordance with relevant laws.
Vulnerability testing should avoid direct modification of web pages, continued pop-up message boxes (XSS verification is recommended using DNSLog), cookie theft, and/or any invasive payloads that obtain user information (XSS blind testing should use DNSLog). If you accidentally use invasive payloads, please remove them immediately. Failure to do so may result in legal consequences.
MUFEX has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.