Spaace is building a gamified NFT marketplace powered by XP, leaderboards, rewards, and on-chain activity.
Because our ecosystem includes economic incentives, trading rewards, referral systems, and dynamic XP logic, security and integrity are critical.
The Spaace Security & Exploit Challenge rewards users who help us identify vulnerabilities that could impact:
- Platform security
- Economic balance
- XP calculation
- Leaderboards
- Referral system
- Smart contracts
- Reward distribution
This program is designed for responsible security research only.
π― Reward Range
Eligible reports may receive between: 10,000 XP and 10,000,000 XP
Rewards are determined based on:
- Severity
- Exploitability
- Economic impact
- Systemic risk
- Quality of report
- Reproducibility
All rewards are granted at Spaaceβs sole discretion.
Duplicate reports will not be rewarded. Only the first valid submission qualifies.
π Reward Categories
Rewards are assigned based on severity tiers.
Low Impact
Must demonstrate reproducibility.-
Minor logic flaws with no economic impact
-
Edge case XP inconsistencies
-
Limited scope system miscalculations
Medium Impact
Requires clear proof of exploit scenario.-
Exploitable flaws affecting XP or leaderboard integrity
-
Limited referral manipulation
-
Reward misallocation affecting multiple users
-
Partial bypass of system protections
High Impact
Must include proof of concept and impact assessment.-
Economic exploit potential
-
XP farming bypass
-
Referral abuse at scale
-
Volume manipulation loopholes
-
Reward distribution corruption
Critical Impact
Critical rewards may require private coordination and validation.-
Smart contract vulnerabilities
-
Fund loss vectors
-
System-wide XP corruption
-
Unauthorized data access
π In Scope
The following systems are eligible:
- XP calculation logic
- Battle Pass progression
- Referral and multi-level reward logic
- Leaderboard scoring
- Trading reward system
- Anti-wash trading protections
- API security
- Smart contract logic
- Reward distribution mechanisms
π« Out of Scope
The following are NOT eligible for rewards:
- UI/UX suggestions
- Typographical errors
- Feature requests
- Performance complaints
- Known issues listed publicly
- Beta feature instability
- Issues already internally tracked
- Non-reproducible edge cases
This program is not a support channel.
For general bugs or feedback, please use Intercom or our Help Center.
π Submission Requirements
All reports must include:
- Clear title
- Category (Security / Economic / Logic / Smart Contract / Other)
- Detailed reproduction steps
- Impact explanation
- Proof of concept (video or transaction proof if applicable)
- Wallet address used
- Estimated severity level
Incomplete submissions may be rejected.
βοΈ Rules & Responsible Disclosure
By participating, you agree:
- Not to exploit vulnerabilities beyond proof of concept
- Not to impact real user funds
- Not to manipulate live trading volume
- Not to publicly disclose findings before resolution
- Not to perform denial of service or spam attacks
Violation may result in account suspension and exclusion from the program.
π Known Limitations
Spaace is an evolving platform.
Reports related to publicly acknowledged limitations or roadmap items may not qualify for rewards.
We reserve the right to update scope and conditions at any time.
π How to Submit
Submit your report via the official form:
All submissions are reviewed manually by the Spaace team.
Validated reports will receive XP rewards directly to their account.
