Range

• Website: https://archloot.com, https://connexion.games
• Mobile APP: https://archloot.com/static/m/ArchLoot.apk,https://apps.apple.com/us/app/archloot-game/id6447827897
• SmartContract repository: https://github.com/Connector-Gamefi/ConnexionContract

Rating

Critical Vulnerability

• A critical vulnerability refers to the vulnerability that occurs in the core business system (the core control system, field control, business distribution system, fortress machine, and other control systems that can manage a large number of systems). It can cause a severe impact, gain business system control access (depending on the actual situation), gain core system management staff access, and even control the core system.
• It includes but is not limited to Gain core backend super administrator access, leak enterprise core data, and cause a severe impact;
• Smart contract overflow and conditional competition vulnerability;
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield through smart contract
• Permanent freezing of funds through smart contract
• Thefts and freezing of unclaimed yield of any amount through smart contract
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield through smart contract
• Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties through smart contract
• Permanent freezing of NFTs through smart contract
• Unauthorized minting of NFTs through smart contract

High Vulnerability

• Gain system access (getshell, command execution, etc.).
• System SQL injection (backend vulnerability degradation).
• Gain unauthorized access to the sensitive information, including but not limited to the direct access to the management background by bypassing authentication, brute force attackable backend passwords, obtaining SSRF of sensitive information in the internal network, etc.
• Arbitrarily document reading.
• XXE vulnerability that can access any information.
• The unauthorized operation involves money, payment logic bypassing (need to be successfully utilized).
• Severe logical design defects and process defects. This includes but is not limited to any user login vulnerability, the vulnerability of batch account password modification, logic
• vulnerability involving enterprise core business, etc., except for verification code explosion.
• Other vulnerabilities that affect users on a large scale. This includes but is not limited to the storage XSS that can be automatically propagated on the critical pages. The storage XSS can access administrator authentication information and be successfully utilized.
• Leakage of a lot of source code.
• The permission control defects in the smart contract.
• Permanent freezing of unclaimed yield through smart contract.
• Permanent freezing of unclaimed royalties through smart contract.
• Temporary freezing of funds through smart contract.
• Temporary freezing NFTs through smart contract.

Mid Vulnerability

• The vulnerability that can affect users by the interaction part. It includes but is not limited to the storage XSS on general pages, CSRF involving core business, etc.
• General unauthorized operation. It includes but is not limited to modifying user data and performing user operations by bypassing restrictions.
• The vulnerabilities caused by a successful explosion with the system sensitive operation, such as any account login and password access, etc., due to verification code logic defects.
• The leakage of locally-stored sensitive authentication key information, which needs to be able to use effectively.
• Unable to call smart contract.
• Smart contract unable to operate due to lack of token funds.
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption

Low Vulnerability

• Local denial-of-service vulnerabilities. It includes but is not limited to the local client denial-of-service (parsing file formats, crashes generated by network protocols), problems caused by -Android component permission exposure, general application access, etc.
• General information leakage. This includes but is not limited to Web path traversal, system path traversal, directory browsing, etc.
• Reflective type XSS (including DOM XSS/Flash XSS).
• General CSRF.
• URL skip vulnerability.
• SMS bombs, mail bombs (each system only accepts one type of this vulnerability).
• No return value and no in-depth utilization of successful SSRF.
• Contract fails to deliver promised returns, but doesn’t lose value

Precautions

Vulnerabilities that are not accepted at the moment (even if such a vulnerability is submitted, it will be ignored) *Remark: The discovered vulnerabilities belonging to the following categories are temporarily not included in the bounty scope, except for those that can cause serious business impact (it needs to be verified by the ArchLoot team).

• It is forbidden to use web/port automatic scanners and other behaviors that may cause many traffic requests. Network terminals and abnormal service access caused by these behaviors will be handled in accordance with relevant laws and regulations;
• Avoid possible impacts or restrictions including but not limited to the availability of business, products, architecture, etc.
• All vulnerability tests should use their accounts and avoid obtaining other user accounts in any form for testing/intrusion operations;
• It is forbidden to abuse of Dos/DDoS vulnerabilities, social engineering attacks, spam, phishing attacks, etc.;
• For combined exploitable vulnerabilities, we will only pay for the highest level of vulnerabilities. Without permission from ArchLoot, it is forbidden to disclose the details of any discovered vulnerabilities.