Pixie Chess
Additional

Bug Bounty

What Pixie Chess rewards, what it doesn't, and how to report.

Pixie Chess rewards reports that demonstrate real, exploitable impact to user funds, user assets, user data, or protocol integrity. Rewards range from $100 to $5,000 per valid report, paid at the team's sole discretion based on severity, exploitability, blast radius, and report quality.

Severity and rewards

Severity is judged on the outcome an attacker can cause, not on the specific technique used. The lists below describe outcomes; any working exploit that produces one of them qualifies.

TierRangeOutcome
Critical$2,500 to $5,000Loss of protocol funds, mass compromise, or permanent asset lockout
High$1,000 to $2,500Single-account takeover or high-integrity tournament manipulation
Medium$250 to $1,000Targeted griefing, private-data exposure, or rule-enforcement bypass
Low$100 to $250Low-leverage disclosures and scoped, recoverable disruptions

Outcomes by severity

Critical

  • Loss of user or protocol funds. Draining any protocol-held contract, redirecting tournament payouts, unauthorized minting, transfer, or destruction of pieces owned by other users, or permanent loss of access to user-held assets.
  • Full backend compromise. Remote code execution on the API or workers, unauthenticated access to production data, or exposure of admin signing keys, JWT secrets, or other backend-held private keys.
  • Mass account takeover. An authentication bypass that simultaneously compromises a large number of user accounts.

High

  • Targeted user harm. Takeover of a specific user account, or bulk exfiltration of user PII such as emails, wallet-to-email links, or IP logs.
  • Tournament integrity. Bracket manipulation short of payout theft (forced matchups, duplicated or skipped entrants), or reusing a piece beyond its allowed uses.
  • Latent protocol compromise. On-chain accounting that desyncs balances (even if not yet drained), or unauthorized write access to the admin panel.

Medium

  • Protocol rule bypass. Deterministic game-state corruption where the attacker picks both victim and outcome, bypassing gating such as piece binding, cooldowns, or tournament entry, or races that displace paid tournament entrants.
  • Unauthorized access to other users' data or sessions. Stored script execution that reaches another user's session, state changes forced through a realistic victim interaction, or unauthorized reads of another user's private data.
  • Internal system access. Forged requests from an untrusted surface that reach internal services with read or write capability.

A single piece or ability misbehaving on its own is a gameplay bug, not a Medium finding.

Low

  • Low-leverage web issues. Script execution on unauthenticated pages, or disclosure of non-public information that enables a further attack.
  • Recoverable disruption. Bricking a single auction or tournament instance that admins can repair, with no user asset loss.

Out of scope

Gameplay and design. Piece or ability misbehavior, balance complaints, collusion, sandbagging, and any intended-mechanic disagreement. Report these in Discord as regular bugs.

Low-impact web issues. Self-XSS, clickjacking on pages without state changes, open redirects without auth impact, UI state that self-heals on refresh, email spoofing from pixiechess.xyz, missing security headers without a working exploit, cosmetic bugs, typos, and broken links.

Methodology and attribution. Scanner output without a PoC, theoretical attacks, duplicates (first valid report wins), issues already fixed on main, vulnerabilities in dependencies not reachable from Pixie code, front-running or MEV without direct user theft, physical attacks, and findings that require the victim to install malware, share a seed phrase, or approve a malicious contract.

Prohibited activities

Findings discovered while violating these rules are not eligible for a reward.

  • Denial-of-service, spam, brute-force, request floods, or automated scanning against Pixie infrastructure.
  • Testing against anyone's account, data, or funds other than your own.
  • Exfiltrating more user data than the minimum needed to prove the report.
  • Social engineering of players, moderators, or staff.
  • Public disclosure before a fix ships or 90 days pass, whichever comes first.

Submitting a report

Open a ticket in the Pixie Chess Discord. Do not post findings in public channels.

Describe the impact. What an attacker gains, who is affected, and any prerequisites.

Attach a working proof-of-concept. Reproduction steps, code, transaction hashes, or a short video.

Include context. Affected component, contract address or endpoint, environment, and relevant account or transaction IDs.

Propose a tier (optional). Helps us triage faster.

One reward per root cause. Chains that only work through an already-reported primitive do not stack. Vague messages and speculation without a PoC will not be interacted with.

This documentation is in its early stages and is subject to have inconsistencies. If you find any, please let us know!

Engines & Cheating

Why chess engines don't work and why collusion backfires.

Brand Assets

Logos, colors, and typography for Pixie Chess.

On this page

Severity and rewardsOutcomes by severityCriticalHighMediumLowOut of scopeProhibited activitiesSubmitting a report