Skip to content

Latest commit

 

History

History
155 lines (126 loc) · 5.57 KB

README.md

File metadata and controls

155 lines (126 loc) · 5.57 KB

STON.FI Bug Bounty program

The STON.fi Bug Bounty program is focused around our smart contracts with a primary interest in the prevention of loss of user funds.

Program fund is 200 000 TON.

Rewards

Level of vulnerability Amount
Critical Up to 20.000 TON
High 2.000 TON
Medium 1.000 TON

These rewards may be increased in the future.

Smart Contracts

Currently the scope of program only includes contracts v1.0.0, the same ones that are used by DEX in the mainnet. The scope might be extended with other versions in the future.

Name of Contract Link
LP Account https://github.com/ston-fi/dex-core/blob/v1.0.0/contracts/lp_account.func
LP Wallet https://github.com/ston-fi/dex-core/blob/v1.0.0/contracts/lp_wallet.func
Pool https://github.com/ston-fi/dex-core/blob/v1.0.0/contracts/pool.func
Router https://github.com/ston-fi/dex-core/blob/v1.0.0/contracts/router.func

The contracts version may be updated in the future.

Impacts in scope

Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Type Level
Direct theft of any user funds Critical
Permanent freezing of funds Critical
Protocol insolvency Critical
Theft of unclaimed yield High
Freeze ability of other users to trade High
Temporary freezing of funds High
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) Medium

Rules

The following activities are prohibited by this Bug Bounty program:

  • Any testing with mainnet.
  • Any testing with pricing oracles or third party Smart Contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Automated testing of services that generates significant amounts of traffic
  • Any denial of service attacks

All testing should be done on testnet. We specifically deployed smart contracts on the testnet.

Router address - EQBsGx9ArADUrREB34W-ghgsCgBShvfUr4Jvlu-0KGc33Rbt. Also you can see on tonscan.

And please see dex-core repo.

Non-issues

The following issues are excluded from the rewards for this Bug Bounty program:

  • Lack of liquidity
  • Best practice critiques
  • Centralization risks
  • Issues with information about user balances
  • Cases with disguising one asset with another asset
  • Issues with precision when providing liquidity: e.g. in certain case, if you provide liquidity and after that you directly burn it, you may receive a bit less of one jetton and a bit more of the other one
  • Any kind of optimization/logic improvements/coding style improvements
  • Wrong opcode in onchain getter call getter_lp_account_address (in 1.0.0 version)
  • Issues related to lp jetton wallets
  • Issues related to contract deletion caused by inability to pay rent
  • Issues related to gas optimisation
  • Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.
  • Possible loss of funds when attempting to perform a swap in non-initialized pool (before successful provideLP)

Experts

Experts involved in the evaluation of the reports:

Reports

All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward. This may be a Smart Contract itself or a transaction. Only the reports that meet the requirements will be considered by the experts.

Please send reports to [email protected]

By submitting a vulnerability report you indicate your agreement to the Terms of participation.