Instruction: For the sake of clarity, the scope covers both domains:
• activate.codefi.network (Frontend application)
• api.activate.codefi.network (Backend API)
Eventually the following restrictions will apply - but these restrictions are currently not activated:
Participation in the token launch is not possible for the following excluded jurisdictions, where the auction and/or trading of respective tokens is prohibited, restricted or unauthorized in any form and/or Wyre is prohibited from transacting and servicing users:
Afghanistan
Angola
Belarus
Bosnia & Herzegovina
Central African Republic
People’s Republic of China
Congo (DRC)
Cote d’Ivoire (Ivory Coast)
Cuba
Ecuador
Eritrea
Ethiopia
Guinea-Bissau
Guyana
Haiti
Iran
Iraq
Kosovo
Laos
Lebanon
Liberia
Libya
Macedonia
Myanmar
Nigeria
North-Korea
Papua NG
Republic of Crimea
Serbia
Somalia
Sudan
Syria
Turkmenistan
Ukraine
Uzbekistan
Vanuatu
Venezuela
Yemen
Zimbabwe
As well as the following US states:
New York
Integrity requirements: high
Max severity: critical
Asset identifier: bridge.codefi.network
Asset type: URL
Availability requirement: low
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: The following domains and sub-domains are in scope for this asset:
• bridge.codefi.network
• api.bridge-convert.codefi.network
The purpose of the application is to convert FIL (from Filecoin network) into renFIL (on Ethereum mainnet) via the Ren protocol.
Known issues:
• All api.* sub-domains like api.bridge-convert.codefi.network currently still display their Swagger documentation
Integrity requirements: medium
Max severity: high
Asset identifier: canary.activate.codefi.network
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: # For the sake of clarity, the scope covers both domains:
• canary.activate.codefi.network (Frontend application)
• canary-api.activate.codefi.network (Backend API)
# Test Scope:
1. Anything related to Airswap rewards claiming. Specifically, the ability for a hacker to claim more points than they should be able to.
The process for claiming Airswap rewards:
- Email jack.clancy@consensys.net with subject "HackerOne AST Tokens Needed", please include your EVM-compatible wallet address. AST will be sent over Rinkeby network.
- Vote on a governance proposal
- Wait for proposal to end
- Claim points on Ethereum Rinkeby or Avalanche Fuji testnet
2. Email notifications
3. Authentication flow: Wallet-based authentication
# Out of Scope (do not test):
- Anything under Filecoin tab (do not test anything Filecoin related)
- Anything under Skale tab (do not test anything Skale related)
- "Legacy" based email/password auth flow
# Details on how to test the API:
# Rewards claiming
## Generate claim
```
[POST] /apiv/2/proposals/vote-rinkeby.airswap.eth/claim
{
"address": "0xB3D2ecEf92Dd0130DdD8EaC286528b7E70df4Ee4",
"chainId": 4
}
```
## Get claims
```
[GET] /api/v2/wallet/claims/{address}
```
# Wallet authentication
## Generate wallet secret
```
[POST] /api/v2/auth/wallet-secret
{
"address": "0xB3D2ecEf92Dd0130DdD8EaC286528b7E70df4Ee4"
}
```
## Authenticate wallet
```
[POST] /api/v2/auth/wallet
{
"address": "0xB3D2ecEf92Dd0130DdD8EaC286528b7E70df4Ee4",
"signature": "..."
}
```
## Current session
```
[GET] /api/v2/auth/wallet
```
## Add email to wallet (Requires wallet auth)
```
[POST] /api/v2/wallet/email
{
"email": "some@email.com"
}
```
# Email notifications
## Subscribe to space notifications (Requires wallet auth)
```
[PUT] /api/v2/governance/spaces/subscriptions
{
"subscriptions": [
{
"governanceSpaceId": "0dfcb198-a356-48b0-a878-efc3fabb5e1f",
"enabled": true
}
]
}
```
## Get subscriptions (Requires wallet auth)
```
[GET] /api/v2/governance/spaces/subscriptions
```
Integrity requirements: medium
Max severity: critical
Asset identifier: consensys.net
Asset type: URL
Availability requirement: medium
Confidentiality requirement: low
Eligible for bounty: true
Eligible for submissions: true
Instruction: Any vulnerability affecting the main Consensy.net domain, including DNS records, email system, or other vulnerabilities.
Subdomains are not within scope at this time, as a number of domains redirect to 3rd party solutions not managed by ConsenSys.
Integrity requirements: low
Max severity: high
Asset identifier: http://portfolio.metamask.io
Asset type: URL
Availability requirement: medium
Confidentiality requirement: medium
Eligible for bounty: true
Eligible for submissions: true
Instruction: The Portfolio dApp allows Metamask users to see an aggregated view across multiple different Metamask accounts. It also allows users to access popular on-chain primitives like Swaps, Bridging, Staking, and more.
Instruction: # On-Ramp Aggregator HackerOne
## Description
The goal of the On-Ramp Aggregator is to allow users to purchase cryptocurrencies from multiple providers. The aggregator takes a list of parameters (country, payment method, crypto currency, fiat, etc.) and retrieves quotations from the providers.
## Scope
The scope of this HackerOne project is:
- The API located at https://on-ramp.metaswap-dev.codefi.network
- The associated SDK available at https://www.npmjs.com/package/@consensys/on-ramp-sdk
Vulnerabilities you may look for:
- Getting access to personal information that is not yours
- Getting access to secret API keys
- Server crashes
## Out of scope
The following are out of scope:
- SDK technical errors
- The Swagger UI located at https://on-ramp.metaswap-dev.codefi.network/docs (it is only available for your convenience on this test environment)
- Server performance: this is a test infrastructure
- Any SDK version < 0.0.21
The MetaMask mobile version uses the API and the SDK, and is associated to another HackerOne project.
## How to test the API
The test environment provides a Swagger UI: https://on-ramp.metaswap-dev.codefi.network/docs. You can use it to list the available endpoints.
### Health
These endpoints provide information about the status of the API: version, dependencies...
### Regions
The `/regions/countries` endpoint provides information about support of most of the world countries.
The `/regions/{regionCode}` endpoint provides information about supported payment methods, fiat currencies, crypto currencies in a specific country. Exmaples of `{regionCode}` are provided by Swagger UI.
### Translations
The `/translations/default` endpoint provides the translation template which can be used to translate the application. Only the English version ("default") is available. This endpoint shouldn't return any user-related information.
### Order Management
The `/providers/{providerCode}/callback` endpoint allows to extract a purchase order ID from an URL. This URL is supposed to be provided by crypto currencies providers: Transak, Wyre, MoonPay...
The `/providers/{providerCode}/orders/{orderCode}` allows a user to retrieve information about their order. They need to provide the Order ID and the associated wallet (an ethereum address). Getting access to an order without both these parameters would be a vulnerability.
The `/providers/{providerCode}/buy-widget` displays the associated provider widget allowing to purchase crypto currency with the provided parameters. It only works for Moonpay. Here is an example of parameters:
- providerCode: `moonpay`
- regionId: `/regions/fr`
- paymentMethodId: `/payments/debit-credit-card`
- cryptoCurrencyId: `/currencies/crypto/1/eth`
- fiatCurrencyId: `/currencies/fiat/eur`
- amount: `50`
- walletAddress: `0x58e5A5478bd302c2E8BEbCbF0342919EE4Aa0e6c`
- redirectUrl: `https://www.google.com/`
## How to test the SDK
The SDK is available here: https://www.npmjs.com/package/@consensys/on-ramp-sdk
The SDK is written in TypeScript, so you can use autocompletion to display the available methods.
## For support
Please contact Kevin Le Jeune for technical questions: kevin.le-jeune@consensys.net
Integrity requirements: high
Max severity: critical
Asset identifier: staking.codefi.network
Asset type: URL
Availability requirement: medium
Confidentiality requirement: high
Eligible for bounty: true
Eligible for submissions: true
Instruction: The scope is restricted to the following sub-domains:
• api.staking.codefi.network (backend API)
• app.staking.codefi.network (frontend)
Instruction: In scope - all endpoints in the below swagger docs (although the docs endpoint is out of scope and only added for the purpose of explaining overall functionality).
https://webhooks-api-experimental.codefi.network/docs/
```
webhooks-api-experimental.codefi.network
websockets-api-experimental.codefi.network
```
| Pre-requisite | Details |
| ------ | ------ |
| npm package: Axios | Use `npm i axios@1.1.3` to avoid known issues in [latest version](https://github.com/axios/axios/issues/5326) |
Here is a gist with Javascript to make a request to the webhook API which will create a message that is received from the websocket API.
https://gist.github.com/shane-t/c276c6eff0f5297b0a8befc008ca8e13
## Objective
Ensure that only users who have a token with a sub claim which matches the userId field of a webhook can receive the websocket message
## Details:
In the gist, you can see that the webhook payload is sent to the webhook API, while at the same time we open a websocket connection to the websocket API.
The websocket API authenticates the request with a token called `customerProof` - this contains a claim `sub`.
The webhook payload has a field called `metadata.userId`
What we want to ensure is that there’s no way of receiving a websocket message either
Without having the customer proof token
That was intended for another user
