Welcome to Hakka Finance’s Bug Bounty Program. Every day, we develop new ways to ensure safety and security with the best product possible. We are calling on our community to help us find any bugs or vulnerabilities. This helps maintain and improve our wonderful ecosystem.
Submit a bug here and earn a reward of up to 16,000 USD worth of HAKKA. Please see our Bounty Table & Rules section for more details.
Please use this structured bounty table for general guidance. All final decisions are at the discretion of the Core Hakka Team. There are three different phases of Hakka Finance’s smart contracts: Production Phase / Staging Phase / Draft Phase.
Production phase refers to the operating smart contracts of Hakka Finance’s official products/platforms. Following table is the bug bounty of production phase:
Staging phase refers to the alpha version or pre-launch stage’s smart contracts. There will be some deductions for the bounty of bugs discovered in the staging phase.
Draft phase refers to fresh smart contracts that are just developed and saying hello to the world. Bugs reported in the draft phase will be considered as development contributions. There will be no official bounty for the bugs reported in this phase, but there might be some rewards for those with extraordinary contributions.
As long as the bounty program is announced, the total token reward quota is capped at 6,000,000 HAKKA.
An issue that might cause immediate loss of > 10% of the funds or permanent impairment of the protocol state.
An issue that might cause immediate loss of <10% of the funds, or severely damage the protocol state.
An issue that might theoretically cause minimal loss of funds, damage the protocol state, or cause severe user dissatisfaction.
An issue that might cause user dissatisfaction or minimal failure.
The bug bounty will be applicable for the following repositories, sources, and sites:
Email [email protected] to report the bug you found in [Bug Report Form].
Please follow the form below and try to be as specific and clear as possible. We will be in touch as soon as possible after receiving the form. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
On the other hand, another channel is also opened to report a bug and get direct contact with the lead developer, Ping Chen. Reporters may send a direct message to @artistic709 on telegram. Reports to this channel should also follow the [Bug Report Form] to be regarded as valid bug reports.
Reproduction of the issue:
Core Hakka Team will make the best effort to meet the following SLAs for hackers participating in our program:
We’ll try to keep you informed about our progress throughout the process.
By providing a submission or agreeing to the program terms, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties in any way without the Core Hakka Team’s prior written approval.
You may be eligible to receive a bounty reward if you are the first person to submit a product vulnerability.
If you want to add more information to a provided issue, create a new submission giving reference to the initial one.
Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of Hakka Finance.
Rewards will vary depending on the severity of the issue. Other variables considered for rewards include the quality of the issue description, the instructions for reproducibility, and the quality of the fix (if included).
Core Hakka Team retains the right to determine if the bug submitted to Hakka Bug Bounty Program is eligible.
Submissions need to be related to the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward.
Any interference with the protocol, client, or platform services, on purpose or not during the process will make the submission process invalid.
Hakka Finance Bug Bounty Program, including its policies, is subject to change or cancellation by Hakka Finance at any time, without notice. As such, Hakka Finance may amend these Program Terms and/or its policies at any time by posting a revised version on our Hakka Wiki. By continuing to participate in Hakka Finance Bug Bounty Program after we post any such changes, you accept the Program Terms, as modified.
Our bug bounty follows a similar approach as Ethereum Bug Bounty. The severity of the issues will be based according to the OWASP risk rating model based on Impact and Likelihood.
It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward.
While researching, we’d like to ask you to refrain from:
Denial of service
Social engineering (including phishing) of HAKKA staff or contractors
Any physical attempts against property or data centers of Hakka Finance