Bubblemaps

Crypto/DeFi

On-chain data visualization platform that maps token holder distributions and wallet connections across major blockchains, exposing rug pulls and whale clusters in real time.

https://bubblemaps.io

Max Reward

$50,000

Total Paid

$210,000

Resolved

Avg Response

2 days

In-Scope Assets

Full pentest — all assets, services, APIs, smart contracts, and infrastructure are in scope

Out of Scope

None — everything is in scope.

Severity Levels & Rewards

Critical

RCE, authentication bypass, privilege escalation, fund extraction

High

Stored XSS, CSRF with impact, API abuse, data manipulation

Medium

Reflected XSS, data leakage, logic flaws, information disclosure

Low

Verbose errors, minor config issues, low-impact info disclosure

Active Bounties (8)

ID	Title	Severity	Status	Reward	Submissions
BM-001	Wallet graph data poisoning via crafted on-chain metadata	Critical	Open	$10,000–$50,000	0
BM-002	API key leakage via CORS misconfiguration on data endpoints	High	Open	$5,000–$15,000	1
BM-003	SSRF via token contract address parameter in enrichment API	Critical	In Review	$10,000–$50,000	2
BM-004	Stored XSS in bubble label rendering via token symbol injection	High	Open	$5,000–$15,000	0
BM-005	Rate limit bypass on /api/v2/bubble-map endpoint	Medium	Open	$1,000–$5,000	0
BM-006	Smart contract supply tracking manipulation via forked chain data	Critical	Open	$10,000–$50,000	0
BM-007	Authentication bypass on private map share link	High	Open	$5,000–$15,000	0
BM-008	SQL injection via chain filter parameter in analytics API	Critical	Open	$10,000–$50,000	0

Rules of Engagement

• Do not access, modify, or delete data belonging to other users.

• Do not perform denial-of-service attacks or automated scanning at high volume.

• Report vulnerabilities promptly and provide sufficient detail to reproduce.

• Allow reasonable time for fix before public disclosure (90 days).

• Safe harbor: We will not pursue legal action against researchers acting in good faith within these rules.