Decentralized Security, Community-Powered Recon

Bounty Overview Rewards by Severity Assets in Scope In-scope Vulnerabilities Out-of-scope Vulnerabilities Program Rules FAQs

Atlas Wallet

NFT

Wallet

Payment

Max Payout

$5,000

Project Overview

Atlas Wallet is a user-friendly, ultra-secure crypto wallet designed for both everyday users and advanced traders. Supporting multiple blockchains—including Ethereum, Binance Smart Chain, Bitcoin, Solana, Cardano, Polygon, Cronos, and Avalanche C-Chain—Atlas enables seamless management of digital assets across ecosystems. With a robust suite of essential and advanced features, Atlas offers a comprehensive solution for secure and efficient Web3 interaction.

Rewards by Severity

Program Overview Atlas Wallet operates a security-focused bug bounty program to ensure the protection of its digital asset management infrastructure. The program invites security researchers and ethical hackers to uncover vulnerabilities that could affect smart contract logic, user fund security, or wallet functionality, supporting a safer Web3 experience for all users.

Reward Structure The program uses a 4-tier severity classification, with rewards varying based on the criticality of the vulnerability and the affected system layer. For critical smart contract vulnerabilities, rewards are capped at 10% of the potential economic damage, taking into account the value of funds affected and broader considerations such as PR and brand risk, at the discretion of the Atlas Wallet team. High-severity smart contract vulnerabilities may be rewarded up to 100% of the affected funds. All risk calculations are based on conditions at the time of the report submission.

Submission Requirements To qualify for a reward, all reports must include a working proof of concept (PoC) and clear steps to reproduce the vulnerability. Reports that do not include code or fail to demonstrate measurable impact on an in-scope asset will not be considered.

Payouts All rewards are denominated in USD and paid in BEP-20 USDT. Payouts are processed directly by the Atlas Wallet team after successful validation of the report and KYC completion.

Web Application

The bounty will be paid out in BEP-20 USDT

Assets In-Scope

Target

Severity

Name

Will be provided after KYC and validation of intent.

Private key of the users

Any vulnerability that could allow someone to fetch the private key of users without accessing the physical devices.

In-Scope Vulnerabilities

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered in-scope, even if they affect something in the assets in scope table.

Web Application

Critical

Any defect; glitch; or vulnerability that could positively lead to mass leakage of private user keys without direct physical access to any user's device

Major

Any defect; glitch; or vulnerability that could lead to the loss of user's funds due to theft; without direct physical access to any user's device

Medium

Anything that might allow for a user to lose funds; that isn't directly related to something set by the user in a transaction; and is completely out of the user's control

Low

Any glitch or defect in setting up or maintaining security for a user inside the wallet

Out-Of-Scope Vulnerabilities

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Vulnerabilities that have already been exploited
Centralization-related vulnerabilities related to: private keys, privileged addresses, governance, credentials, etc.

Web Application

Any defect; glitch; or vulnerability that has previously been reported or already been exploited

Any issues discovered that are related to or caused by 3rd-party browser glitches; or outdated client software

Non-sensitive or server-related data disclosures

Anything that isn't found in; or directly related to the Atlas Wallet or Extension codebase; should be considered out-of-scope

Program Rules

To be eligible for reward, you must provide a detailed report that includes fully reproducible steps. If duplicate reports are submitted, we will only reward the first submission that meets all the defined criteria. If multiple vulnerabilities are reported that stem from the same root cause or issue, only one bounty will be awarded.

The following activities are prohibited by this bug bounty program:

Automated testing of our services, APIs, or systems that generate substantial traffic. -- Brute-force attacks or denial-of-service attacks. Public disclosure of discovered vunerabilities, glitches, or defects (before or after patches have been applied).

FAQs

How do I search for active bounties?

A: Active bounties can be viewed here [CertiK URL], and by filtering for bounties on the Security Leaderboard. Projects will post bounties along with the assets in the scope of the bounties with a corresponding bounty reward.

How do I submit a bounty?

To submit a bug report, first register an account with us https://www.certik.com/auth/signup. Once your account is created, you can log in and select “Submit Bug” for the specific bounties you're interested in. You will be prompted to fill out a webform; follow the instructions and upon successful submission, you will receive an email confirmation with a reference ID.

Who do I contact if I'm having trouble with my bug report submission?

You can reach out to bugbounty@certik.com for updates and assistance with your bug bounty submission.

I submitted my bug report. What now?

Once your bug report is submitted, CertiK will evaluate the report and contact the respective project. Depending on the criteria stated within a bug bounty, a KYC may be required. With valid bug reports, you will be contacted to begin the process of evaluating the bug with the project.

How is KYC handled?

CertiK has a team of investigative professionals that will handle any needed KYC services for bug bounty submissions requiring KYC.

Why was my bug report submission rejected?

A description of dismissal will be available for any bug bounty that is rejected.

The project is being slow responding to my bug report. What are their required response times / SLAs?

There can be multiple bug bounty submissions therefore there might be some delay in process times.

How do payouts work?

Payments for successful bug bounties will be communicated directly via the project wherein wallet information can be exchanged.

Bounty Highlights

Assets in Scope1

Live SinceJun 14, 2024

Last Updated2mo 20d ago

Funds Reserved$20,000

Max Payout$5,000

Skynet Score

87.94

KYC

Required

PoC

Required

View on Skynet