BlockchainSpace Bug Bounty Program with ImmuneFi

BlockchainSpace, through its bug bounty program with ImmuneFi, is seeking participants to assess their smart contracts for vulnerabilities.

Program Overview

BlockchainSpace enables play-to-earn guilds to scale in the metaverse. We build tools to empower gaming communities and run academies to identify economic opportunities in the play-to-earn ecosystem.

For more information about BlockchainSpace, please visit

This bug bounty program is for their smart contracts and is focused on preventing:

  • Thefts and freezing of principal of any amount
  • Thefts and freezing of unclaimed yield of any amount
  • Theft of governance funds
  • Governance activity disruption

Rewards by threat level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.

Smart Contracts and Blockchain

Critical USD 50 000
High USD 30 000
Medium USD 20 000
Low USD 10 000

All Low, Medium, High, and Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward.

Payouts are handled by the BlockchainSpace team directly and are denominated in USD. However, payouts are done in ETH.

Assets in Scope

Target Type

Smart Contract — Core

Smart Contract — Guild Token

In the Github link in the Assets in Scope table, only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.

Smart Contracts/Blockchain

Loss of user funds staked (principal) by freezing or theft
Loss of governance funds
Theft of unclaimed yield
Freezing of unclaimed yield
Unable to call smart contract
Smart contract gas drainage
Smart contract fails to deliver promised returns
Vote manipulation
Incorrect polling actions

Prioritized vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain
Logic errors
including user authentication errors
Solidity/EVM details not considered
including integer over-/under-flow
including rounding errors
including unhandled exceptions
Trusting trust/dependency vulnerabilities
including composability vulnerabilities
Oracle failure/manipulation
Novel governance attacks
Economic/financial attacks
including flash loan attacks
Congestion and scalability
including running out of gas
including block stuffing
including susceptibility to frontrunning
Consensus failures
Cryptography problems
Signature malleability
Susceptibility to replay attacks
Weak randomness
Weak encryption
Susceptibility to block timestamp manipulation
Missing access controls / unprotected internal or debugging interfaces

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks

The following activities are prohibited by this bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets.
Any testing with pricing oracles or third party smart contracts.
Attempting phishing or other social engineering attacks against our employees and/or customers.
Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks.
Automated testing of services that generates significant amounts of traffic.
Public disclosure of an unpatched vulnerability in an embargoed bounty.




BlockchainSpace enables PlayToEarn Guilds to scale in the Metaverse

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Being DeFi-ant in the face of regulation.

MMA X Naavik Partnership

Blockchains, betas, and GDPR

How ArtChain Global will Prevent Art Fraud

Cactus Art NFT Collection

IoTeX Presents Pantheon Consortium Blockchain at IIC Q2 Meeting

Osmosis Zone Update Blog 2022/02/21

Zero-Knowledge taxation on Ethereum

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


BlockchainSpace enables PlayToEarn Guilds to scale in the Metaverse

More from Medium

Crypto Fantasy Sports, Dice Games + Rev Sharing

Sick Ape Society is a new NFT project with P2E Game, Staking and Breeding utilities.

RaceFi Successfully Passes the Audit by Armors Labs

NFT Arena Integrates Chainlink VRF To Help Power NFT Upgrade System​​