Bug Bounty
We recognise the importance and value of security researchers' efforts to keep our community safe. We encourage responsible disclosure of security vulnerabilities via our bug bounty program.
Policy
Do not share reports to any blog or social network if not approved by Fishing Frenzy
While researching, refrain from:
Doing automated testing, denial of service
Spamming, spoofing, phishing
Social engineering of staff or contractors
Any physical attempts
Performing further attacks once you have proof of an attack
Bulk downloading / extracting exposed data beyond the need for proof of concept
Rewards
Critical (P1)
Direct, high-impact vulnerabilities that allow attackers to cause large-scale financial loss to the company or players, extract or duplicate assets, manipulate game economy, or completely break core gameplay systems.
Examples:
Minting unlimited NFTs without paying
Unauthorized transfer of smart contract funds
$1000 - $10000+**
High (P2)
Significant vulnerabilities that impact game economy, player trust, or company revenue, but require specific conditions to execute, or cause losses at smaller scale compared to P1.
Manipulating leaderboard rewards
Buying or obtaining premium items for free
Duplication of assets requiring moderate effort
$200 - $1000
Medium (P3)
Vulnerabilities that cause minor or limited financial impact, or affect fairness and trust but do not lead to direct major monetary loss.
Examples
Claiming duplicate rewards
Minor inconsistencies in reward calculations
Bugs allowing for faster than intended level-up
$50 - $200
Low (P4)
Very low-impact issues that are primarily cosmetic, informational, or theoretical
Examples
Typographical errors
Visual errors
$0
** Bounty will vary widely based on severity and impact
Reporting
If you have identified a security vulnerability please do the following:
Your contact details (name, email)
Full proof of concept (step by step to reproduce) and impact
Any files uploaded to Google Drive that can help reproduce the flaw (screenshots, images, source code, scripts)
Eligibility
Vulnerabilities have a working proof of concept that shows how it can be exploited
First user to bring the issue to our attention, before we are aware of it
Do not abuse the issue
Certain types of issues will be ineligible and out of scope, such as:
Internally known issues, duplicate issues, or issues which have already been made public
Theoretical vulnerabilities without proof of concept
Incorrect data supplied by third party oracles
Sybil attacks or fake user generation
Assets in Scope
Smart contracts:
0x9c76fc5Bd894E7F51c422F072675c876d5998A9e
0x6d5104435be31A51a8261056c347824481632FaB
0x77CE5148b7ad284e431175Ad7258B54A64816da6
0x87a699a08D57142d46c909B7f2df49D44D87211F
0x4079da822E8972982b8569e38cdF719A21069934
0xc4537D98b3d4A2A8EC79aaEFb19b4ceB72953Fcd
0xC69f7434D4B336E68AcBbde4101B7990E7d6B3b3
0xDDA950223EAD838C21838109a2f550C964A23C5b
Web/App:
https://fishingfrenzy.co
Last updated