Audit Comp | Celo-logo

Audit Comp | Celo

|

Celo is scaling Ethereum with real-world solutions, leading a thriving new digital economy for all.

Solidity
Go

Evaluating

8d: 0h remaining
Rewards Pool
$50,000
Vault TVL
To be determined
Started
13 November 2024
Ended
06 December 2024
Rewards Token
cUSD
nSLOC
5,253
  • Triaged by Immunefi

  • PoC required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - GasPriceMinimum - 160
Added on
15 November 2024
Target
Type
Smart Contract - MentoFeeCurrencyAdapter - 55
Added on
15 November 2024
Target
Type
Smart Contract - EpochManagerEnabler - 63
Added on
15 November 2024
Target
Type
Smart Contract - GoldToken - 155
Added on
15 November 2024
Target
Type
Smart Contract - LockedGold - 573
Added on
15 November 2024
Target
Type
Smart Contract - CeloUnreleasedTreasury - 48
Added on
15 November 2024
Target
Type
Smart Contract - EpochManager - 488
Added on
15 November 2024
Target
Type
Smart Contract - Account - 53
Added on
14 November 2024
Target
Type
Smart Contract - DefaultStrategy - 56
Added on
14 November 2024
Target
Type
Smart Contract - Manager - 36
Added on
14 November 2024
Target
Type
Smart Contract - SpecificGroupStrategy - 59
Added on
14 November 2024
Target
Type
Smart Contract - Vote - 4
Added on
14 November 2024

Impacts in Scope

Technical Resources

Roadmap

https://forum.celo.org/t/cel2-roadmap-update/6815

Technical

Non-technical https://www.youtube.com/watch?v=mkpTmbkRv4A

Is this an upgrade of an existing system? If so, which? And what are the main differences?

Celo is transitioning from a standalone EVM-compatible Layer 1 blockchain to an Ethereum Layer 2. This shift, proposed by cLabs in July 2023, aims to maintain the seamless user experience that Celo is known for—characterized by speed, low costs, and ease of use—while leveraging Ethereum's security and ecosystem.

Where do you suspect there may be bugs? Which parts of the code are you most concerned about?

Experimental Features, Custom Gas Token, Alternate Data Availability Layer implementation in the OP Stack.

What attack vectors are you most concerned about?

Migration to L2 and Sequencer

Which part(s) of the system do you want whitehats to attempt to break the most?

Custom Gas Currency (https://docs.celo.org/cel2/fee-currencies)

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

All ERC20 / ERC721 / ERC777 / ERC1155 standards are supported.

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

Test on Testnet: https://docs.celo.org/cel2/network-information

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

Third-party security review Blockchain Explorer

What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?

Any is fine on Testnet

What external dependencies are there?

https://github.com/ethereum-optimism/op-geth

Where might whitehats confuse out-of-scope code to be in-scope?

Open source code in defined repos are in scope. Anything on testnet is in scope. Cel2 code is not deployed to Mainnet.

stCelo (staked-celo) is live and on Mainnet, this is in scope.

What is the test suite setup information?

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

Previous Audits

Celo’s previous audit reports can be found here: https://celo.org/audits

Celo’s is currently running an audit. Bugs in the audit report that aren't disclosed pre-launch are valid for rewards.

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Permanent freezing of funds on L1

Severity
Critical
Title

Protocol insolvency

Severity
Critical
Title

Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results

Severity
Critical
Title

L1 contract manipulation (sequencer address, malicious state root update)

Severity
Critical
Title

Critical hot wallets compromised (batcher, proposer, sequencer)

Severity
High
Title

Permanent freezing of unclaimed royalties

Severity
High
Title

Temporary freezing of funds

Severity
High
Title

Theft of unclaimed royalties

Severity
High
Title

Theft of unclaimed yield

Severity
High
Title

Permanent freezing of unclaimed yield

Severity
High
Title

L2 re-org

Out of scope

Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers