# 🛡️ The Verified Wallet Security Hackathon ## Introduction The **Verified Network** invites white-hat hackers and security researchers to participate in an intensive **Bug Bounty Hackathon** focused on securing **The Verified Wallet** extension. With a prize pool of **$5,000**, this campaign is dedicated to identifying and responsibly disclosing critical vulnerabilities related to key management, transaction signing, and self-custody logic within our open-source codebase. Our goal is to solidify The Verified Wallet as the most secure, user-centric wallet on the market. Your expertise is critical to achieving this. **Assets in Scope:** - **The Verified Wallet Extension Link:** [https://chromewebstore.google.com/detail/abkgckcpmnbipkfhkkchkdfkmccjdmkh?utm_source=item-share-cb](https://chromewebstore.google.com/detail/abkgckcpmnbipkfhkkchkdfkmccjdmkh?utm_source=item-share-cb) - **Key Management and Recovery Logic** - **Transaction Signing and Broadcasting Mechanisms** ## Timeline - **Event Start Date: 10th December 2025** - **End Date: 30th December 2025** - **Hacker Registration:** 08-Dec-2025, 8:00am to 29th-Dec-2025, Time: 9:00pm - **Submission Period: 10th to 30th December** - **Judging & Validation:** 7 days after Submission - **Winner Announcement:** 12th January 2026. ## Prizes A total prize pool of **up to $5,000 USD** will be distributed in **USDC** or **ETH** to successful submissions, based on severity. Rewards are non-cumulative; only the first report of a valid vulnerability is eligible for a reward. - **💥 Critical Severity (CVSS 9.0-10.0):** - **Impact:** Direct loss/theft of user funds or private keys; unauthorized minting; permanent asset freezing. - **Reward Range:** Up to **$2,500 USD**. - **🚨 High Severity (CVSS 7.0-8.9):** - **Impact:** Unauthorized transaction signing (without user consent); major access control bypass; leakage of sensitive, non-key data. - **Reward Range:** Up to **$1,500 USD**. - **⚠️ Medium Severity (CVSS 4.0-6.9):** - **Impact:** Non-critical XSS; minor logic flaws leading to loss of usability; un-authenticated information exposure. - **Reward Range:** Up to **$750 USD**. - **🔍 Low Severity (CVSS 0.1-3.9):** - **Impact:** Best practices violations; minor security-related misconfigurations (if no direct exploit path is shown). - **Reward Range:** Up to **$250 USD**. ## Eligibility - Any white-hat hacker, security researcher, or developer is welcome to participate. - Participation is subject to local laws and regulations. - Submissions must be original and not publicly disclosed prior to reporting. - Projects may be submitted individually or as a team (up to 4 members recommended). ## ## Judging Criteria Submissions will be judged exclusively on the following criteria: 1. **Exploit Impact and Severity (60%):** The real-world financial or security risk posed by the vulnerability. Submissions that demonstrate an exploit leading to the loss of private keys or funds will be prioritized. 2. **Quality of Proof of Concept (PoC) (30%):** The clarity and quality of the test case provided. - **Mandatory Requirement:** The PoC **MUST** include a working code example or test script demonstrating the vulnerability using the verified custody SDK [https://www.npmjs.com/package/@verified-network/verified-custody](https://www.npmjs.com/package/@verified-network/verified-custody) or a simple NodeJS/TypeScript script built around the SDK. - **Goal:** The PoC should be runnable by our team to immediately reproduce the flaw. 3. **Affected Component and Clarity (10%):** The bug is clearly documented with step-by-step instructions, and it targets a core component of the wallet's custody logic (key management, signing). **Note:** General UX feedback, feature requests, or theoretical vulnerabilities will not be considered for a prize. ## Out-of-Scope (Please Do Not Test) - Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks. - Attacks requiring physical access to the victim's device. - Automated scanner reports without manual validation and a working PoC. - Issues related to third-party services not under the direct control of the Verified Network. - Security suggestions or best practice recommendations not tied to an exploitable flaw. ## Contact Us For technical questions and quick support during the Hackathon: - **Discord:** [https://discord.gg/cJh5WDGjGV](https://discord.gg/cJh5WDGjGV) - **Email:** [interest@verified.network](mailto:interest@verified.network) - **DoraHacks Platform:** Use the **Ask Question** tab on this page. ## About Us **Verified Network** is the organization behind **The Verified Wallet**, a self-custody solution designed for the next generation of Web3 users. Our mission is to build highly secure, innovative, and user-centric decentralized financial infrastructure. We sponsor this Bug Bounty Hackathon to collaborate with the global security community, rigorously fortifying our wallet's core logic and ensuring the highest standards of safety for all user assets. **Next Step:** You will need to fill in the **Timeline**, [📝 Final Submission Form: Verified Wallet UX Test](https://docs.google.com/forms/d/e/1FAIpQLSev4d22L-2IuQaVs2SgtG7pBCvR4dJxqqj2ySTCdhAEqE12ng/viewform), and **Contact** details on the DoraHacks submission page.