Announcing Bug Bounty program for Cold Staking


  1. ColdStaking.sol

Contract overview

This is a system contract of Callisto Network.
The main purpose of this contract is to allow users to stake their coins and receive interest on CLO emission as a reward for holding their coins. A user is staking coins by simply depositing them into the contract. The contract will receive 20% of block reward – this is enforced at protocol level. The user can not withdraw his deposit or staked coins before a certain period of time.

Contract provides specific functionality for Treasurer allowing him to (1) stop/unstop the contract, (2) withdraw the amount of funds allocated for staking rewards and (3) remove his Treasurer role privileges (not earlier than at block 1800000).

For more information read the formula description or staking implementation discussion.

Bug Bounty

Rewards are paid in CLO. As of 11th October, 1 CLO = 0.00000221 BTC.

1. Critical issue. Up to 1,000,000 CLO (~2,2 BTC) reward for finding a critical bug.

A critical error is an error that can be directly exploited and cause a loss of funds for cold stakers regardless of circumstances.

2. Medium severity issue. 200,000 CLO (~0,442 BTC) for finding security vulnerabilities and bugs, that could not be directly exploited but can affect contracts in some specific circumstances and can cause a loss of funds for a certain stakers.

Any bugs that can occur in some specific circumstances and violate contracts workflow, resulting in a loss of funds for cold stakers.

3. Low severity issue. 50,000 CLO (~0,11 BTC) for finding security vulnerabilities and bugs, that can not affect users other than the sender of the transaction.

Any code flaw, that grants a user an opportunity to harm himself by causing a loss of funds for his staking account.

4. Minor observation, non-security issue. 10,000 CLO for valuable code improvements, non-security issues and other flaw reports.

Any code flaw, that can not cause a loss of funds or a direct breach of the contract but can cause inconveniences somehow.


  • “loss of funds” means loss of deposited stake only. Any loss of “staking reward” will be classified as a medium severity issue.
  • comment improvements are not paid.
  • the cold staking contract is currently undergoing a security audit. Issues reported by security auditors also count. Security auditors do not receive bugbounty rewards since they are paid separate salaries.
  • please, do not reveal your bug reports before the end of security audit (it end date of the security audit will be announced at the comment below).


  1. Create a secret gist.
  2. Describe the bug in the created gist.
  3. Wait for security audit to end. Keep your gist private.
  4. Publish the link to your gist (URL) on our Bug Bounty section on Github at the comment below.

The first person to create a bug-report gist will be rewarded. Reporting issues that were already reported will not be rewarded i.e. if two persons report the same issue, only the one who did it earlier, will be rewarded.

For any questions: [email protected]