MUFEX
English
English
  • What is MUFEX?
    • πŸ“–Overview
    • 🏦MUFEX's Decentralized and Trustless Approach
    • πŸ“ˆMUFEX Perpetual Trading System
    • πŸ’ŽMUFEX Liquidity Pool
    • πŸ—ΊοΈRoadmap
  • Start Using MUFEX
    • πŸ‘©β€πŸš€Onboarding
    • πŸ’΅Depositing
      • Deposit FAQ
        • What should I do if the deposited currency has not been received?
        • How to solve recharge error?
        • Funds Recovery Guide
    • πŸ“ˆTrading
      • πŸ’ΉOpen/Close Positions
      • πŸ’²Trading Fees
      • πŸ–₯️Market , Limit & Conditional Order
      • πŸ›°οΈTake Profit & Stop Loss
      • 🏝️Isolated Margin/ Cross Margin
      • πŸ“Trading Rules
        • Risk Limit
        • Risk limit Parameters
        • Index Price
        • Mark Price
        • Liquidation Process
        • Margin Mechanism
        • Funding Fee
        • Insurance Fund
        • Auto-Deleveraging (ADL)
      • πŸ“‘Contract Specs
    • πŸ’ŽEarn
    • 🏧Withdrawal
      • Withdrawal FAQs
        • Why Hasn't My Withdrawal Been Credited?
    • πŸ’²Fee Rates
  • Technical Solution
    • πŸ—οΈTechnology Architecture
    • 🏦ZK-Rollup Asset Proof Design
    • πŸ›₯️Dunkirk Asset Recovery
  • What makes MUFEX secure?
    • πŸ“‘MUFEX Security White Paper
      • Security Team and Its Functions
      • Client Security
      • Endpoint Security
      • Network Security
      • Server Security
      • Application Security
      • Smart Contract Security
      • Data Security
      • Physical Infrastructure Security
    • πŸ“”Smart Contracts
    • πŸ”Audit
    • 🐞Bug Bounty
  • Testnet
    • πŸ§‘β€πŸ³Testnet Walkthrough
      • 1️⃣Get started with MUFEX
      • 2️⃣Get Test Tokens
      • 3️⃣Account & Assets
      • 4️⃣Depositing & Withdrawing
      • 5️⃣Trading
      • 6️⃣Earn via MLP
      • 7️⃣Feedback
      • 8️⃣Common Questions
  • Support
    • πŸ””MUFEX Announcement
      • Notice on Upgrade and Adjustment of the Affiliate System
      • MUFEX Upcoming Delisting of Trading Pairs Reminder
      • MUFEX Notice: Delisting of Certain Trading Pairs
      • MUFEX Coin Pair Adjustment Notice
      • MUFEX is Upgrading MLP and Copy Trading Features
      • MUFEX to Discontinue MLP and Copy Trading Services
      • MUFEX Announcement: Notice on Delisting COMPUSDT and GMTUSDT Contracts
      • MUFEX Announcement: System Upgrade and Trading Suspension Notice Postponement
      • System Upgrade and Trading Suspension Notice
      • MUFEX Cryptocurrency Exchange Service Area Statement:
      • Adjusting Parameters for Certain Contract Trading Pairs (2024/2/7)
    • ❓FAQ
      • How to Delete My MUFEX Account?
      • Why is my IP banned from service
      • Can I use MUFEX service if I don't have an web3 wallet
      • Why do I need to deposit first?
      • Why didn't I see the asset balance change after I deposit?
      • Why did I receive an email from Unipass?
      • What is Effective Leverage?
    • πŸ‘©β€πŸ”¬Help Center
    • πŸ“Release Log
    • πŸ‘¨β€πŸ«MUFEX Affiliate Program
    • πŸ’»Social Media & Communities
    • πŸ’ΌBusiness Cooperation
    • πŸ“±Install MUFEX through the App Store
      • How to get an Apple ID in the US
      • How to use Taobao Purchase a non-mainland Apple ID
      • How to install MUFEX iOS TestFlight
    • πŸ™‹β€β™‚οΈEarly Ambassador Program
Powered by GitBook
On this page
  • Web Bug Bounty
  • Scope
  • Bounty
  • Web Vulnerability Definitions
  • Contract Bug Bounty
  • Scope
  • Bounty
  • Contract Vulnerability Definitions
  • Prohibited Activities
  • Previous Audits
  1. What makes MUFEX secure?

Bug Bounty

PreviousAuditNextTestnet Walkthrough

Last updated 1 year ago

We are pleased to announce our bug bounty program and encourage everyone to participate by submitting vulnerabilities.

You can send your vulnerability information to , and our team will swiftly review and verify the reported issues. Alternatively, you can submit vulnerabilities on our partner's page at

We value your contribution to our platform's security and will be in contact with you promptly.

Web Bug Bounty

Scope

*.mufex.finance

Bounty

Severity Level
Bounty

Low-risk

50 to 100 USDT

Medium-risk

100 to 500 USDT

High-risk

500 to 1000 USDT

Critical

1000 to 5000 USDT

Web Vulnerability Definitions

  1. Critical Vulnerabilities:

    • Critical vulnerabilities refer to the vulnerabilities that occur in core business systems (such as core control systems, domain controllers, business distribution systems, and bastion hosts) that manage a large number of systems. These vulnerabilities can have a wide-ranging impact, allowing unauthorized control of business systems (depending on the specific circumstances), obtaining administrative privileges of core systems, or even taking control of core systems. Examples of critical vulnerabilities include but are not limited to:

    • Controlling multiple devices within the internal network.

    • Obtaining super-administrator privileges of the backend, resulting in severe consequences such as leakage of critical enterprise data.

    • Smart contract overflow and race condition vulnerabilities.

  2. High-risk Vulnerabilities:

    • Gaining system privileges (e.g., GetShell, command execution, etc.).

    • System SQL injection (backend vulnerability downgrading, bundled submissions prioritized based on discretion).

    • Unauthorized access to sensitive information, including bypassing authentication to directly access the management backend, weak passwords in critical backends, SSRF vulnerabilities that allow obtaining a large amount of sensitive internal network information, etc.

    • Arbitrary file reading.

    • XXE vulnerabilities, allowing access to any information.

    • Unauthorized transactions or bypassing payment logic involving funds (requires successful exploitation).

    • Severe logical and process design flaws, including but not limited to arbitrary user login vulnerabilities, bulk modification of arbitrary account passwords vulnerabilities, logical vulnerabilities related to critical business processes (excluding captcha cracking), etc.

    • Other vulnerabilities that have a wide-ranging impact on users, including but not limited to stored XSS vulnerabilities that can automatically propagate on important pages, stored XSS vulnerabilities that successfully exploit the authentication information of administrators, etc.

    • Extensive source code leakage.

    • Smart contract permission control flaws.

  3. Medium-risk Vulnerabilities:

    • Vulnerabilities that affect users after interaction, including but not limited to stored XSS vulnerabilities, CSRF vulnerabilities related to core business processes, etc.

    • Parallel authorization operations, including but not limited to bypassing restrictions to modify user data or perform user operations.

    • Denial of Service (DoS) vulnerabilities, including but not limited to remote DoS vulnerabilities caused by DoS network applications.

    • Vulnerabilities caused by captcha logic flaws that allow successful brute-forcing of sensitive operations such as arbitrary account login or password retrieval.

    • Local leakage of sensitive authentication key information that can be effectively exploited.

  4. Low-risk Vulnerabilities:

    • Local DoS vulnerabilities, including but not limited to client-side local DoS (crashes caused by parsing file formats, network protocols, etc.), issues caused by Android component permissions exposure, routine application access, etc.

    • Routine information leakage, including but not limited to web path traversal, system path traversal, directory browsing, etc.

    • XSS vulnerabilities (including DOM XSS/Reflected XSS).

    • Routine CSRF vulnerabilities.

    • URL redirection vulnerabilities.

    • SMS bombs, email bombs (only one type of such vulnerabilities accepted per system).

    • Other vulnerabilities with relatively low impact or inability to demonstrate harm (e.g., CORS vulnerabilities that do not allow access to sensitive information).

    • SSRF vulnerabilities that did not result in successful deep exploitation and did not return values.

  5. Vulnerability Types Not Accepted (reported vulnerabilities will be ignored):

    • Email spoofing.

    • User enumeration vulnerabilities.

    • Self-XSS and HTML injection.

    • Webpage missing CSP and SRI security policies.

    • CSRF issues for non-sensitive operations.

    • Individual Android App issues such as android:allowBackup="true" or local denial of service (except those with deep exploitation).

    • Issues related to modifying image sizes causing slow requests, etc.

    • Leaked versions of Nginx or other software.

    • Functional issues that do not pose security risks.

    • Personal attacks on MUFEX employees or social engineering against MUFEX employees.

Contract Bug Bounty

Scope

  • Arbitrum

    • HotTreasury: 0x763ecd00eEA0CDAECBDF97d88c3e0fd5457eE5A0

    • MainTreasury: 0x16BEDB2Ab2aEf9023ff2cbF0C78135cA120c03C6

    • DepositWalletFactory: 0xc8a3a6d43e8aa43187d7b7a1faef21e65acba43b

  • Polygon

    • HotTreasury: 0x763ecd00eEA0CDAECBDF97d88c3e0fd5457eE5A0

Bounty

Severity Level
Bounty

Low-risk

50 to 100 USDT

Medium-risk

100 to 500 USDT

High-risk

500 to 5000 USDT

Critical

5000 to 500000 USDT

Contract Vulnerability Definitions

  1. Critical Vulnerabilities:

    • Any governance voting result manipulation

    • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

    • Permanent freezing of funds

    • Miner-extractable value (MEV)

    • Protocol insolvency

  2. High-risk Vulnerabilities:

    • Theft of unclaimed yield

    • Theft of unclaimed royalties

    • Permanent freezing of unclaimed yield

    • Permanent freezing of unclaimed royalties

    • Temporary freezing of funds

  3. Medium-risk Vulnerabilities:

    • Smart contract unable to operate due to lack of token funds

    • Block stuffing for profit

    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

    • Theft of gas

    • Unbounded gas consumption

  4. Low-risk Vulnerabilities:

    • Contract fails to deliver promised returns, but doesn't lose value

  5. Information Vulnerabilities:

    • Incorrect data supplied by third party oracles:

    • Not to exclude oracle manipulation/flash loan attacks

    • Impacts requiring basic economic and governance attacks (e.g. 51% attack)

    • Lack of liquidity impacts

    • Impacts from Sybil attacks

    • Impacts involving centralization risks

    • Best practice recommendations

    • Sybil attacks

    • Vulnerabilities already reported and/or discovered in contracts built by third parties on MUFEX

    • Bugs in any third party contract or platform that interacts with MUFEX

Prohibited Activities

  • Engaging in social engineering and/or participating in phishing activities.

  • Disclosing specific information about vulnerabilities.

  • Vulnerability testing is limited to Proof of Concept (PoC) only, and destructive testing is strictly prohibited. If any unintended harm occurs during the testing process, it should be promptly reported. Additionally, any deletions, modifications, or other sensitive operations conducted during testing must be clearly stated in the report.

  • For large-scale scanning, please use scanning tools. If the business system or network becomes unavailable due to scanning activities, appropriate actions will be taken in accordance with relevant laws.

  • Vulnerability testing should avoid direct modification of web pages, continued pop-up message boxes (XSS verification is recommended using DNSLog), cookie theft, and/or any invasive payloads that obtain user information (XSS blind testing should use DNSLog). If you accidentally use invasive payloads, please remove them immediately. Failure to do so may result in legal consequences.

Previous Audits

MUFEX has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.

🐞
security@mufex.finance
https://bugrap.io/bounties/MUFEX
https://github.com/Secure3Audit/Secure3Academy/blob/main/bug_bounty/Mufex.md
https://immunefi.com/bounty/mufex
https://github.com/numencyber/AuditReport/blob/main/Mufex%20Penetration%20Test%20Report%20v0.2.pdf
https://metatrust.io/score/audit/mufex
https://github.com/Secure3Audit/Secure3Academy/tree/main/audit_reports/Mufex