Hodl Bug Bounty

Project Summary

HODL is a community-driven DeFi project built on the Binance Smart Chain (BSC). HODL is revolutionary and constantly innovating to drive more rewards and value to all holders. It was the first project to reward its holders with BNB and reflections just for holding and has set the record for the biggest payout of all time.

At the heart of HODL is a highly-innovative smart contract that captures tax revenues from buys, sells, and transfers of the token. Our sell bot liquifies these tokens converting them into BNB and then places the funds into the reward pool. By holding HODL you can collect your share of the reward pool every 7-days and will be sent reflections throughout.


Focus Area

In-Scope Vulnerabilities

  • Business logic issues that can cause a loss of liquidity and/or user funds/assets
  • Vulnerabilities related to the Smart Contract which allows access to and the transfer of liquidity and/or user funds/assets
  • Payment’s manipulation
  • Remote code execution (RCE)
  • Leakage of sensitive information
  • OWASP Top issues such as XSS, CSRF, SQLi, SSRF, IDOR, etc.
  • Other vulnerabilities with a clear potential to harm the project, steal funds, or loss in general

Out of Scope

  • Theoretical vulnerabilities without actual proof of exploitation (proof of concept)
  • Clickjacking/UI redressing with minimal security impact
  • Invalid or missing SPF (Sender Policy Framework) records (incomplete or missing SPF/DKIM/DMARC)
  • Vulnerabilities in third-party applications & services
  • Social engineering, phishing, physical, or other fraud activities
  • Any activity (like DoS/DDoS) that disrupts our services
  • Email or mobile number enumeration
  • Information disclosure with minimal security impact (E.g., stack traces, path disclosure, directory listings, logs)
  • Internally known issues, duplicate issues, or issues that have already been made public
  • Best practices concerns
  • Tab-nabbing
  • Phishing attack
  • Self-XSS that cannot be used to exploit other users
  • Content spoofing
  • Use of known vulnerable libraries without actual proof of concept
  • Exposure of internal IP addresses or domains
  • Vulnerabilities affecting users of outdated browsers or platforms
  • Missing security headers that do not lead to direct exploitation
  • Host header issues without proof-of-concept demonstrating the vulnerability
  • CSRF with negligible security impact (E.g., adding to favorites, adding to cart, subscribing to a non-critical feature)
  • Issues that have no security impact (E.g., Failure to load a web page)
  • Assets that do not belong to HODL or HODLX
  • Reports from automated tools or scans
  • Links to invalid/expired pages (Only valid if you can demonstrate an actual takeover)
  • Recently (less than 30 days) disclosed 0-day vulnerabilities (Reports allowed but no bounty gets paid)

Program Rules

  • Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Don’t access or modify other user data, localize all tests to your accounts
  • Perform testing only within the scope
  • Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
  • Don’t spam forms or account creation flows using automated scanners
  • In case you find chain vulnerabilities we’ll pay only for vulnerabilities with the highest severity.
  • Don’t break any law and stay within the defined scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not an authorized employee of this Company without appropriate permission

Severity and Payment

  • Critical: $750 of either $HODL, $HODLX or HODL Hand NFTs
  • High: $500 of either $HODL, $HODLX or HODL Hand NFTs
  • Medium: $250 of either $HODL, $HODLX or HODL Hand NFTs
  • Low: $75 of either $HODL, $HODLX or HODL Hand NFTs
  • Information: No payment

Report Evaluation

To be deemed valid, a report must demonstrate a software vulnerability in a service provided by HODL that harms HODL or its customers. Reports that include a clear Proof of Concept or specific step-by-step instructions to replicate the vulnerability are considerably more effective at communicating a researcher’s findings and are therefore far more likely to be deemed valid.

A report must be valid, in scope report to qualify for a bounty. HODL awards bounties based on the severity of the vulnerability. We determine severity based on severity.

From reporting a finding to getting a response from HODL it will take up to seven working days. If the finding is classified and accepted the payout will happen within 24 hours.

To report a finding, please use this Google form:  https://forms.gle/2a1FTM81Z3LVRTTMA

Join the conversation. Follow the latest news. Have fun in the community.

Chatting with HODL
    Hi, please help me