Magic Eden icon Magic Eden HackerOne

Target Policy
https://hackerone.com/magic-eden?type=team
Structured Scope
  • Asset Identifier
    Asset Type
    Max Severity
  • slingshot.finance
    URL
    high
  • Magic Eden ETH Marketplace (NEW)
    OTHER
    critical
  • slingshot.app
    URL
    critical
  • polygon.magiceden.io
    URL
    critical
  • com.magiceden.wallet

    Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.

    GOOGLE_PLAY_APP_ID
    critical
  • coralcube.io
    URL
    critical
  • *.coralcube.io
    OTHER
    critical
  • io.magiceden.android

    https://play.google.com/store/apps/details?id=io.magiceden.android&hl=en_US&gl=US

    GOOGLE_PLAY_APP_ID
    medium
  • 1602924580

    https://apps.apple.com/us/app/magic-eden-nft-marketplace/id1602924580

    APPLE_STORE_APP_ID
    medium
  • Magic Eden Open Source - Smart Contracts

    **In scope assets:**
    * The most current tagged release of our production smart contracts are bounty eligible:
    * https://github.com/magiceden-oss/erc721m/releases/latest
    * Smart contracts (*.sol) are located within the [erc721m/contracts](https://github.com/magiceden-oss/erc721m/tree/main/contracts) directory

    **Explicitly:** This covers vulnerabilities that are purely executed on chain against the in scope contracts (mainnet only).

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Contracts in active development or collaboration and not yet deployed to production or mainnet are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SOURCE_CODE
    critical
  • Magic Eden Open Source - Open Creator Protocol

    **In scope assets:**
    * The most current tagged release of our production smart contracts are bounty eligible:
    * https://github.com/magiceden-oss/open_creator_protocol/releases/latest
    * Eligible assets located within [programs/open_creator_protocol ](https://github.com/magiceden-oss/open_creator_protocol/tree/main/programs/open_creator_protocol )

    **Explicitly:** This covers vulnerabilities that are purely executed on chain against the in scope contracts (mainnet only).

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Contracts in active development or collaboration and not yet deployed to production or mainnet are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SOURCE_CODE
    critical
  • CoralCube Open Source - MMM

    MMM is an open source and secure AMM protocol on Solana. It enables the multi-pool (buy-side, sell-side, two-side) feature, and the extendable allowlist of the pool assets.

    **In scope assets:**
    * The most current tagged release of our production protocol are bounty eligible:
    * https://github.com/coralcube-oss/mmm/releases/latest

    **Explicitly:** This covers vulnerabilities for programs under (programs/mmm)

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Versions in active development or collaboration and not yet deployed to production or released are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SOURCE_CODE
    critical
  • https://github.com/magiceden-oss/open_creator_protocol/releases/latest

    **In scope assets:**
    * The most current tagged release of our production smart contracts are bounty eligible:
    * https://github.com/magiceden-oss/open_creator_protocol/releases/latest
    * Eligible assets located within [programs/open_creator_protocol ](https://github.com/magiceden-oss/open_creator_protocol/tree/main/programs/open_creator_protocol )

    **Explicitly:** This covers vulnerabilities that are purely executed on chain against the in scope contracts (mainnet only).

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Contracts in active development or collaboration and not yet deployed to production or mainnet are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SMART_CONTRACT
    critical
  • com.magiceden.wallet

    Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.

    APPLE_STORE_APP_ID
    critical
  • *.magiceden.workers.dev
    OTHER
    critical
  • https://github.com/coralcube-oss/mmm/releases/latest

    MMM is an open source and secure AMM protocol on Solana. It enables the multi-pool (buy-side, sell-side, two-side) feature, and the extendable allowlist of the pool assets.

    **In scope assets:**
    * The most current tagged release of our production protocol are bounty eligible:
    * https://github.com/coralcube-oss/mmm/releases/latest

    **Explicitly:** This covers vulnerabilities for programs under (programs/mmm)

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Versions in active development or collaboration and not yet deployed to production or released are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SMART_CONTRACT
    critical
  • Magic Eden Wallet (Chrome Extension)

    Android, iOS, and Chrome Extension versions of the wallet share a common codebase. Submissions will be deduplicated across each asset.

    OTHER
    critical
  • https://github.com/magiceden-oss/erc721m/releases/latest

    **In scope assets:**
    * The most current tagged release of our production smart contracts are bounty eligible:
    * https://github.com/magiceden-oss/erc721m/releases/latest
    * Smart contracts (*.sol) are located within the [erc721m/contracts](https://github.com/magiceden-oss/erc721m/tree/main/contracts) directory

    **Explicitly:** This covers vulnerabilities that are purely executed on chain against the in scope contracts (mainnet only).

    **Exclusions:**
    * Phishing or any user interaction style of attacks
    * Any attack that requires a user to interact with contract from an attacker controlled website
    * Dependency issues with supporting tooling. This bounty scope focuses on the smart contracts.
    * Contracts in active development or collaboration and not yet deployed to production or mainnet are exempt (In scope assets are those included under the most recent release)
    * Chain specific vulnerabilities are excluded, e.g. EVM or Solana runtime issues.
    * Mocks or assets under "mocks/"

    SMART_CONTRACT
    critical
  • magiceden.io
    URL
    critical
  • *.magiceden.io
    OTHER
    critical
  • *.magiceden.dev

    Cryptocurrency = Solana

    OTHER
    critical
Target Scope Domains
  • coralcube.io
  • magiceden.io
  • polygon.magiceden.io
  • slingshot.app
  • slingshot.finance
Tech Stack
Last Finished Scan:
Scan Name
Fleet
Finished
State
auto-dnsenum-threaded
allsubs
2 weeks, 6 days ago
Finished
auto-dnsenum-threaded
  • Fleet: allsubs
  • Duration: 23.02 Minutes
  • Finished: 2 weeks, 6 days ago