Documentation Index
Fetch the complete documentation index at: https://docs.nex-t1.ai/llms.txt
Use this file to discover all available pages before exploring further.
Nexis Security Bug Bounty Program
The security of Nexis Appchain and its users is our highest priority. We partner with the security research community to identify and fix vulnerabilities before they can be exploited. The Nexis Bug Bounty Program rewards researchers who discover and responsibly disclose security issues.Program Status: Active and accepting submissions as of January 2025.
Total Rewards Paid: Program launching - be among the first researchers!
Reward Structure
Rewards are determined by severity using the OWASP Risk Rating Methodology, considering both Impact and Likelihood.Critical
250,000Direct theft of funds, protocol insolvency, permanent loss of user assets
High
100,000Theft of unclaimed yield, temporary freezing of funds, smart contract griefing
Medium
25,000Block stuffing, griefing DoS, unintended state changes
Low
5,000Contract fails to deliver promised functionality, minor UX issues
Informational Findings
Non-security issues such as gas optimizations, code quality improvements, and best practice suggestions are welcome but not eligible for rewards. We may offer swag or recognition for high-quality informational reports.In-Scope Assets
Smart Contracts (Highest Priority)
AI Agent Economics Contracts
AI Agent Economics Contracts
Mainnet Deployments (rewards 2x testnet)
-
Agents.sol - Core agent registry and staking
- Agent registration and ownership
- Multi-asset staking (ETH, ERC20)
- Unbonding and withdrawal queue
- Stake locking for tasks
- Slashing mechanisms
- Reputation system
- Proof-of-inference recording
- Delegation system
- Location:
0x[TBD](mainnet), testnet deployed
-
Tasks.sol - Task marketplace
- Task creation and escrow
- Task claiming with bonds
- Work submission and verification
- Dispute resolution
- Payment distribution
- Location:
0x[TBD](mainnet), testnet deployed
-
Treasury.sol - Multi-pool treasury
- Fund management (treasury, insurance, rewards)
- Slash and penalty handling
- Reward distribution
- Pool rebalancing
- Location:
0x[TBD](mainnet), testnet deployed
-
Subscriptions.sol - Recurring payments
- Epoch-based subscriptions
- Continuous payment streams
- Automatic processing
- Location:
0x[TBD](mainnet), testnet deployed
- Fund theft or loss scenarios
- Stake manipulation attacks
- Reputation gaming
- Reentrancy vulnerabilities
- Integer overflow/underflow
- Access control bypasses
- Upgrade mechanism exploits (UUPS)
OP Stack L2 Contracts
OP Stack L2 Contracts
Core Protocol Contracts
-
OptimismPortal2.sol - L1 entry point
- Deposit transactions
- Withdrawal proofs and finalization
- Pausing mechanism
- Location: Inherits from Optimism contracts
-
L2OutputOracle.sol - Output root proposals
- Output submission
- Output deletion
- Challenge period
- Location: Inherits from Optimism contracts
-
SystemConfig.sol - System parameters
- Gas limits and scalars
- Batch inbox configuration
- Sequencer address
- Location: Inherits from Optimism contracts
-
DisputeGameFactory.sol - Fault proofs
- Game creation
- Game resolution
- Bond management
- Location: Inherits from Optimism contracts
-
L1/L2 Bridges
- L1StandardBridge.sol
- L2StandardBridge.sol
- ERC20/ERC721 bridging
- Locations: Inherits from Optimism contracts
- Bridging vulnerabilities (double spend, replay)
- Fraud proof bypass
- Withdrawal finalization exploits
- Batch submission manipulation
- Sequencer centralization attacks
Fee & Token Contracts
Fee & Token Contracts
Economic Layer
-
GovernanceToken.sol (NZT Token)
- ERC20 implementation
- Minting controls (2% annual cap)
- Burning mechanism
- Voting (ERC20Votes)
- Location:
0x[TBD]
-
MintManager.sol - Inflation control
- Mint cap enforcement
- Time-lock mechanism
- Location:
0x[TBD]
-
Fee Vaults
- BaseFeeVault.sol
- L1FeeVault.sol
- SequencerFeeVault.sol
- Minimum withdrawal thresholds
- Locations:
0x[TBD]each
-
GasPriceOracle.sol - L1 data cost
- Fee calculation (Ecotone/Fjord formulas)
- Scalar configuration
- Location:
0x[TBD]
- Unauthorized minting
- Fee manipulation
- Vault draining
- Price oracle attacks
Infrastructure & Protocols
Rollup Node (op-node)
Rollup Node (op-node)
Consensus & Derivation LayerIn-Scope Components:
- Derivation pipeline (L1 to L2 block derivation)
- Batch decoding and validation
- Deposit transaction extraction
- Output root computation
- Unsafe/safe/finalized head tracking
- P2P block propagation
- Engine API interaction
- Invalid state transition acceptance
- Consensus split conditions
- Batch validation bypass
- Deposit censorship or reordering
- Output root manipulation
- Sequencer equivocation detection failures
Batch Submitter (op-batcher)
Batch Submitter (op-batcher)
L1 Data SubmissionIn-Scope Components:
- Batch encoding (SingularBatch, SpanBatch)
- Channel management
- Compression (zlib, brotli)
- Transaction building
- Blob submission (EIP-4844)
- Safe head tracking
- Data availability issues
- Batch reordering vulnerabilities
- Channel reconstruction exploits
- Gas estimation attacks
- Sequencer censorship
Output Proposer (op-proposer)
Output Proposer (op-proposer)
L2 Output ProposalsIn-Scope Components:
- Output root generation
- Submission timing
- L1 confirmation tracking
- Dispute game creation
- Invalid output acceptance
- Proposal reorg handling issues
- Dispute game bypass
- Bond theft
Challenger (op-challenger)
Challenger (op-challenger)
Fault Proof SystemIn-Scope Components:
- Dispute game monitoring
- Claim bisection logic
- Cannon/Asterisc trace providers
- Bond management
- Resolution logic
- Invalid claim acceptance
- Trace generation manipulation
- Bond theft or lock-up
- Challenge period bypass
Frontend & User-Facing Applications
Web Applications (Lower Priority)
Web Applications (Lower Priority)
In-Scope:
- Nexis Explorer
- Bridge UI
- Token faucet
- Documentation website
- XSS vulnerabilities
- CSRF attacks
- Authentication bypass
- Data leakage
- Phishing vulnerabilities
Out of Scope
The following are NOT eligible for bounty rewards:Known Issues (Not Eligible)
Issues identified in previous audits that are accepted risks:-
Centralization Risks
- Single sequencer operation (design decision)
- Admin upgrade controls (using Safe multisig)
- Proposer censorship (mitigated by challenge system)
-
OP Stack Inherited Limitations
- L1 reorg handling edge cases (documented in OP Stack specs)
- Sequencer liveness assumptions
- Batch submission MEV
Eligibility Requirements
To be eligible for a bounty, you must:- Researcher Requirements
- Disclosure Requirements
- Quality Standards
✅ Eligible
- Security researchers
- White-hat hackers
- Academic institutions
- Independent auditors
- Ethical hackers
- Current or former Nexis Labs employees/contractors (within 6 months)
- Immediate family members of Nexis team
- Minors (under 18) without parental consent
- Residents of OFAC-sanctioned countries
Submission Process
Step 1: Initial Report
Email security@nexis.network with:Step 2: Acknowledgment
We acknowledge all submissions within 24 hours (often much faster).Step 3: Validation
Our security team validates the report:- Confirms reproducibility
- Assesses severity
- Determines eligibility
- May request additional information
Step 4: Fix & Testing
If valid:- We develop and test a fix
- We may request your help testing
- Private disclosure to select auditors
Step 5: Reward Determination
Final bounty determined by:- Severity (Impact × Likelihood)
- Quality of report
- Cooperation during process
- Whether we learned something new
Step 6: Public Disclosure
After fix deployed:- 90-day disclosure window (negotiable)
- Joint disclosure or researcher solo (your choice)
- Credit in our security changelog
Step 7: Payment
- Paid in USDC to provided ETH address
- KYC required for rewards $10,000+ (Synaps or Sumsub)
- Tax forms required for US persons
- Payment within 14 days of disclosure
Proof of Concept Requirements
A strong PoC significantly increases your bounty. Include:PoC Best Practices
- Be Specific: Exact contract addresses, function names, parameter values
- Be Reproducible: Anyone should be able to run your PoC
- Be Safe: Don’t actually exploit mainnet or steal funds
- Be Clear: Comment your code explaining each step
- Show Impact: Demonstrate the concrete harm (e.g., “steals $X”)
Severity Classification
We use the following matrix to determine severity:Impact Levels
| Level | Description | Examples |
|---|---|---|
| Critical | Direct theft, permanent loss, protocol insolvency | Drain all staked funds, mint unlimited tokens, steal bridge deposits |
| High | Indirect theft, temporary loss, major disruption | Steal unclaimed rewards, freeze user funds temporarily, force invalid state |
| Medium | Griefing, minor loss, degraded UX | Block stuffing DoS, spam events, incorrect accounting (non-exploitable) |
| Low | Edge cases, minor issues | Contract doesn’t handle zero values, poor error messages |
Likelihood Levels
| Level | Criteria |
|---|---|
| High | Easily exploitable by any attacker with no special access |
| Medium | Requires specific conditions or timing |
| Low | Requires privileged access or highly unlikely conditions |
Severity Matrix
| Critical Impact | High Impact | Medium Impact | Low Impact | |
|---|---|---|---|---|
| High Likelihood | 🔴 Critical | 🟠 High | 🟡 Medium | 🔵 Low |
| Medium Likelihood | 🟠 High | 🟡 Medium | 🔵 Low | 🟢 Info |
| Low Likelihood | 🟡 Medium | 🔵 Low | 🟢 Info | 🟢 Info |
Payment Process
Reward Determination
Final bounty based on:- Comprehensive PoC: +0.3
- Suggested fix: +0.1
- Multiple attack vectors: +0.1
- Clear documentation: +0.1
- Creative discovery: +0.2
- Responsive to questions: +0.1
- Help testing fix: +0.1
- Delay disclosure as requested: +0.05
KYC & Compliance
Rewards $10,000+ require KYC:- Submit via Synaps or Sumsub (link provided)
- Government ID verification
- Proof of address
- Screening against sanctions lists
- W-9 form required
- 1099 issued for $600+ payments
- State-specific requirements may apply
- W-8BEN form for treaty benefits
- May require additional documentation
Payment Methods
Preferred: USDC on Ethereum mainnet Alternative:- USDC on other chains (Polygon, Arbitrum, Base)
- ETH or WETH
- Bank wire (for 50 fee)
- Privacy coins
- NFTs
- Equity or tokens
- Deferred payment structures
Hall of Fame
The Nexis Bug Bounty launched in January 2025. Be the first researcher in our Hall of Fame!
Top Contributors
| Rank | Researcher | Findings | Total Earned |
|---|---|---|---|
| 1 | Coming Soon | - | - |
| 2 | Coming Soon | - | - |
| 3 | Coming Soon | - | - |
Notable Discoveries
Hall of Fame entries will be featured here after disclosure period.Safe Harbor
We commit to:No Legal Action
No Legal Action
We will not pursue legal action against researchers who:
- Act in good faith
- Follow responsible disclosure
- Don’t access or harm user data
- Don’t exploit beyond PoC
- Don’t demand payment before disclosure
Coordinated Disclosure
Coordinated Disclosure
We will:
- Work with you on disclosure timeline
- Credit you publicly (unless you prefer anonymous)
- Not disclose your identity without permission
- Respect embargo periods
Fair Treatment
Fair Treatment
We will not:
- Modify bounty terms retroactively
- Claim your work as our own
- Share your report with third parties without permission (except necessary security contractors)
- Penalize you for reporting in good faith
FAQ
Can I report the same issue to multiple bug bounty platforms?
Can I report the same issue to multiple bug bounty platforms?
No. Choose one platform. If reporting via Immunefi or other platform, that platform’s rules apply. Direct reports to security@nexis.network use these terms.
What if I find something but I'm not sure it's exploitable?
What if I find something but I'm not sure it's exploitable?
Report it anyway! We’d rather receive false positives than miss a real issue. Worst case, we thank you and classify it as informational.
Can I test on mainnet?
Can I test on mainnet?
No. Use testnet or local forks. If you must test on mainnet for a reproducible PoC, contact us first.
How long do I need to wait before public disclosure?
How long do I need to wait before public disclosure?
90 days from our fix deployment, or earlier with mutual agreement. We respect your right to disclose but ask you coordinate with us.
What if you disagree with my severity assessment?
What if you disagree with my severity assessment?
We’ll provide detailed reasoning. If you disagree, we can seek neutral third-party arbitration (details in full program terms).
Can I submit anonymously?
Can I submit anonymously?
Yes, but you must provide an ETH address for payment and complete KYC for rewards $10,000+. We can keep your identity confidential in public disclosures.
What happens if two researchers submit the same bug?
What happens if two researchers submit the same bug?
First valid submission wins full bounty. Second submission may receive 10% courtesy payment if submitted within 24 hours.
Contact & Support
Report Vulnerability
security@nexis.networkPGP Key: Download
Program Questions
bugbounty@nexis.networkFor questions about eligibility, rewards, etc.
Encrypted Reporting
Keybase: nexislabsFor highly sensitive disclosures
Emergency Contact
Critical issues only: FormFor active exploits requiring immediate response