Last updated: 21 May 2026
Found a bug in our smart contracts? Or would you like to see if you can? We'd love to hear from you. Our main focus is to ensure that the token assets that belong to a user can't be stolen and that the contracts function the way they are intended to. We reward both ETH and city tokens for any serious bugs found that result in a fix being needed.
The contracts covered by this program:
Can you steal someone's assets? This means transferring or burning a token that does not belong to you and that you have not been approved to act for. We're interested in any abuse of the smart contracts (ERC-721 functions, marketplace functions, anything) that can result in the theft or destruction of tokens. This also includes being able to perform an action that only the owner of the contract should be able to perform (such as pausing it).
Reward: 0.5 ETH and 1 city nft (above 45 points).
Are you able to DoS the contracts? For example, could you stop users from being able to transfer tokens or execute offers in the marketplace? Could you prevent the contract owner from being able to perform actions (such as pausing or minting)? Is something broken, such as totalSupply showing the wrong value?
Reward: 0.25 ETH and 1 city nft (above 40 points).
Anything that changes state in an unintended way in the contracts but is not considered very harmful. An example would be batch functions that revert at a low batch size such as 10 items (batches failing with large arrays are not covered). Also covered here is a contract owner action that can be mitigated by the owner simply making the call again with new constraints.
Reward: 0.1 ETH and 1 city nft (above 35 points).
Bottom line: anything that's not important enough to fix will probably not be covered by this program.