Middleman escrow surfaces under stress
MidMan concentrates crypto trade escrow: deposit holds, release authorization, dispute arbitration, fee accounting, chat mediation, admin overrides, and API-driven automation hooks — fertile ground for escrow theft, unauthorized release, dispute manipulation, and balance misaccounting. Each critical earns $5,000.
As a dedicated middleman platform, MidMan holds funds for every mediated trade — deposit tagging, hold ledger, release triggers, dispute overrides, fee splits — every link in that chain is a bounty-relevant attack surface.
In scope materially: every host under midman.io and sibling subdomains for middleman services, API integrations, chat mediation, admin consoles, notification workers, dispute automation.
Civil exclusions only: theft-as-a-service against counterparties outside the bounty program, harassment — society-level bans.
Why pressure-test MidMan?
Flat $5K critical payouts
Validated critical exploits with reproducible payloads earn exactly $5,000 USD.
Full-scope trust boundary
Every endpoint MidMan operates is in-scope — no carve-outs.
Real custody risk
MidMan holds escrow funds — every vulnerability that lets funds escape is a clear critical.
The critical reward benchmark
- Flat rate — no haggling over severity tags
- Payable on kill chain + successful attack reproduction
- Duplicate-first policies: first qualified PoC wins
- Lower severities considered — critical bar is highest
A critical on MidMan means escrow bypass, unauthorized release of held funds, dispute outcome manipulation, mass balance disclosure, or persistent admin account takeover.
What's in scope
| Target | Category | Reward |
|---|---|---|
midman.io, subdomains, web UI | Web | $5,000 / validated bug |
| Escrow APIs · deposit/release endpoints | Backend | $5,000 / validated bug |
| Escrow hold ledger · release triggers · fee accounting | Custody | $5,000 / validated bug |
| Dispute arbitration · admin overrides | Ops | $5,000 / validated bug |
Everything MidMan operates — no exclusions list
Sandbox escrow environments, canary wallet clusters, Telegram/bot hooks, partner integrations — all eligible when critical impact reproduces.
- Vanity domains CNAME'd into MidMan edge
- Escrow SDKs or bookmarklets MidMan ships to traders
- Bridge or on-ramp callbacks verified with MidMan-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures.
- Number your hops. Session/API primitive → escalation → escrow integrity break.
- Minimize real-user blast radius. Prefer mirrors and low-value accounts.
- Private coordination first. Use official intake on midman.io.
- Duplicate fairness. First qualifying PoC wins.
How to submit a report
Use the security disclosure contact on https://www.midman.io/ (security@midman.io — verify on the live site).
- Summary and type of vulnerability
- Numbered kill chain from entry to impact
- Proof of successful exploitation
- Suggested remediation (optional)
Escrow release race vignette · pair with parallel request logs
Illustrative race on escrow release + dispute check — worthless without captures on midman.io.
// BUGGY: TOCTOU race — dispute check and release are not atomic
async function releaseEscrow(tradeId: string) {
const trade = await db.getTrade(tradeId);
if (trade.status !== 'held') throw new Error('invalid state');
// Race window: attacker sends 20 parallel releaseEscrow() calls here
const isDisputed = await db.hasActiveDispute(tradeId);
if (isDisputed) throw new Error('disputed');
await wallet.send(trade.buyerAddress, trade.amount);
await db.updateTrade(tradeId, { status: 'released' });
}Frequently asked questions
Is the entire midman.io domain in scope?
Yes. Any host or subdomain MidMan operates is in scope.
What qualifies as a critical?
Escrow bypass enabling unauthorized release, dispute manipulation with financial loss, or admin account takeover.
Is social engineering allowed?
No. Technical endpoint testing only.
