We put a $200 bounty on bitfi’s version 2 hardware wallet for 30 days, which started January 7th, since no one has successfully publicly hacked it, since it was released. We were given a donation for our intense research, which is where the $200 comes from. We then contacted Bitfi and they put $4800 more on it, making it a combined total of $5000 coming from 2 different companies.
The terms of this are quite simple, that we were able to condense them into a tweet, but are posting them here, for professionalism.
- Make a proof of concept demonstrating you can transfer cryptocurrency from a locked, secured bitfi version 2 wallet, which is identical to what bitfi called bounty #1, in 2017. This is the only bounty, if you root the device, wipe it, play doom on it, things that happened with bitfi version 1, congrats on making some cool modifications, but if you can’t transfer the cryptocurrency, those attacks are out of scope.
How do I get a Bitfi?
Bitfi is providing researchers with a version 2 for testing purposes just contact firstname.lastname@example.org and inform them you are a researcher and you are testing version 2. This portion of the bounty is solely from bitfi, not in anyway is Planet Zuda, LLC responsible for this.
Who is excluded from this Bitfi bounty?
Anyone who is using a device that is not a Bitfi 2 directly from the company within this 30 day period for this specific bounty, additionally a tracking number must be shown in any proof of concept and date of purchase, you are excluded. Devices can be obtained free of charge from email@example.com or if you wish, for some reason you can purchase it from the site.
Per standard bounty rules, anyone who was employed, contractor or had anything to do or any involvement with the changes and updates to version 2 of bitfi is excluded from this bounty. Additionally, any 3rd party that was told non public domain information from someone who was employed, a contractor or had anything to do with the changes and updates to version 2 of bitfi are also excluded, as that provides an unfair advantage.
How do I get the $1000 bounty?
You have to be able to hack the device that you are sent, that has to be version 2 and then with security on, transfer the cryptocurrency.
Out of scope:
Social engineering is out of scope, misleading software is out of scope, attacking owners of bitfi hardware wallets is a criminal or civil offense, so it’s out of scope. Knowing the seed phrase and typing it in to transfer crypto-currency is out of scope, transferring crypto-currency when the device is unlocked is out of scope, cloning the software and or any components of the device and using it for social engineering / phishing is out of scope, cloning the image for use of social engineering / phishing anything that is an intended feature is out of scope.
It is up to our sole discretion if your proof of concept does indeed qualify for payment, we reserve the right to decline it.
We expect to see submissions that look like the template from zephyrs github .
- The affected urls or area of the application where the issue exists.
- Risk: Something
- Difficulty to Exploit: Somethingelse
- CVSS3 Score
- What kind of attacker?
- Do they need authentication?
- Who else does it affect?
A clear outline of the steps required to execute the payload as an attacker, this can include how to setup the payload and launch it.
- Show, Introduce, Discuss
- Screenshots may be declined if they don’t provide enough evidence, a detailed video plus screenshots and a written walk-through tutorial is highly recommended, in order to verify your claims.
- Explain who this issue affects?
- Is it everyone or just a select amount of users?
- How can this occur?
- How do you fix the issue?
- What is the recommended remediation actions required to successfully fix issue x?
Include additional reading for the client to further backup the issues explained or elaborate more on other potential issues chained to the one identified.
-  Reference 1
-  Reference 2