CST and CSCT Token Contract Joint Vulnerability Reward Details
I. Overview of the Plan
To further enhance the security of CST and CSCT token contracts and protect user assets, we are officially launching a joint vulnerability reward program. We invite security researchers, white-hat hackers, and developers from around the globe to conduct in-depth audits and tests on our token contracts. For the first reporter of valid vulnerabilities that help us address potential security risks, we will issue corresponding rewards based on the severity level of the vulnerabilities.
Total Reward Pool: 2,000,000 USDT
Reward Period: March 28, 2026, to April 28, 2026
Reward Distribution: May 1, 2026
Involved Contracts:
CST Token Contract Address:
0x677476c15F339d341F4B82cC06A7672403deF5f0
CSCT Token Contract Address:
0xF2Daf3F85E4b79BA6224DbFCAc2562079663f501
Reward Pool Wallet Address:
TKq96WcKC3i5wTKyzZyNggeJuqX2ZnvqRx
2. Reward Scope and Classification
This reward program focuses on vulnerabilities at the smart contract code level. Rewards will be rated based on the severity of the vulnerability, difficulty of exploitation, and potential impact on user assets.
Vulnerability Level: High Risk Vulnerability
Reward Amount: 10,000 - 50,000 USDT
Classification Criteria: Examples of vulnerabilities that can directly lead to asset loss or complete contract failure:
* Direct Fund Theft: The attacker can directly steal CST/CSCT or underlying blockchain tokens locked in the contract without specific user operations.
* Minting Arbitrary Amounts: Unauthorized parties can bypass privilege checks and infinitely issue tokens.
CST/CSCT tokens, leading to a collapse of token economics and price going to zero.
* Permanent Asset Freeze: This leads to all users' CST/CSCT assets being permanently locked in the contract, with no transfers or burn operations possible.
* Privilege Escalation: Attackers exploit reentrancy, access control flaws, etc., to gain admin privileges (like onlyOwner access) and execute dangerous operations.
Vulnerability Level: Medium Risk Vulnerability
Reward Amount: 2,000 - 10,000 USDT
Classification Criteria: Vulnerabilities that lead to abnormal protocol functionality or limited asset loss under specific conditions.
Typical Cases:
• Specific Condition Fund Loss: Although it causes financial loss, it requires extremely stringent external conditions (e.g., relying on specific trading prices).
*
* Temporary Denial of Service: Can temporarily block key functions of CST/CSCT (e.g., pausing transfers for more than a week), but the administrator can restore it through specific means.
* Medium Impact Business Logic Bypass: For example, using flash loan attacks to exploit precision calculation flaws in the contract, extracting small arbitrage profits in specific trades, but not causing a global collapse.
* Permanent Mild Dysfunction of Core Functions: Leads to the permanent failure of a non-core function (such as snapshot functionality, voting rights calculation) but does not affect asset security.
Vulnerability Level: Low Risk Vulnerability
Reward Amount: 500 - 2,000 USDT
Classification Criteria: Vulnerabilities that have a minor security impact or are difficult to exploit directly.
Typical Cases:
* Code Not Compliant with Best Practices: Such as unchecked addresses (0), lack of event logs, etc., but do not directly cause financial loss.
* Off-Chain Information Leak: Only leads to off-chain front-end information leaks, but cannot cause financial loss through on-chain interactions.
* Governance Attack with No Financial Loss: Theoretically, a governance attack could be initiated, but due to time locks or multi-signature constraints, it cannot be stopped before causing losses.
* Event Data Error: Incorrect parameter value calculations for events emitted during contract execution. While this doesn't affect on-chain status, it impacts off-chain monitoring and front-end display.
Example.
3. Planning Rules and Submission Requirements
To ensure rewards are distributed accurately and fairly, all participants must adhere to the following rules.
3.1 Qualification Requirements
Originality Principle: Only the first security researcher to submit a specific vulnerability is eligible for a reward. We will determine this based on the submission timestamp.
Reproducibility: The submitted report must include enough technical details for our development team to reproduce the vulnerability.
Proof of Concept (POC): A complete POC must be provided for vulnerabilities rated as medium risk or higher.
Code or test cases demonstrating the exploitability of the vulnerability.
Testing Environment: Please prioritize testing on a deployed contract copy on the testnet to avoid unnecessary risks to contracts running on the mainnet.
3.2 Submission Method
Please send all findings to our security email:
[kingofusa888999@outlook.com]
Email Subject Format: [Bug Bounty JICST/CSCT] Vulnerability Summary - [Your Username/Nickname]. The email body must include:
Vulnerability Type: E.g., Reentrancy attacks, privilege escalation, integer overflow. Impact Range: Specific to contract files and line numbers. Detailed Description: The principle behind the vulnerability.
Attack Steps: Clear reproduction steps, accompanied by test scripts.
Potential Impact: The maximum loss or consequence you believe this vulnerability could cause.
Wallet Address: Your USDT wallet address for receiving rewards (please specify the chain type)