Audit Comp | DeGate
DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition
Status
Triaged by Immunefi
PoC required
This Audit Competition Is Over
All paid bug reports are available in original format here.
Rewards
Rewards by Threat Level
This audit competition has $400,000 USD in rewards split across 3 reward pools. $300,000 is allocated to the Criticals reward pool, $50,000 to the Highs reward pool, and $50,000 to the Baseline rewards pool.
Reward Payment Terms
Payouts are handled by the DeGate team directly and are denominated in USD. However, payouts are done in USDC.
Rewards will be distributed all at once after the event has concluded and the final bug reports have been resolved.
The following reward rules are a summary, for an in-depth explanation read our Reward Distribution Rules article. The reward mechanisms are designed to reward all high quality whitehat work, with the greatest rewards for Critical issues and unique findings.
Duplicate & Private Known Issue Reward Policy
Duplicate bug reports which are in-scope for this event are considered valid and will be rewarded in a Sybil-resistant manner. Attempts to abuse the duplicate reward policy will result in a ban and forfeit of all rewards. Private known issues, meaning bugs known to the project but not publicly disclosed, which are in scope for this event are considered valid and will be rewarded at a reduced rate of 25%.
Baseline Reward Pool
The $50,000 USD baseline reward pool is distributed among all participants. 80% is split among all valid report submissions based on the bug’s severity. 20% is distributed at Immunefi’s discretion to highly valuable reports, even if they’re technically invalid, and other significant contributions. The entire baseline reward pool will be distributed even if no valid bugs are found.
Criticals Reward Pool
The $300,000 USD Criticals reward pool is distributed among all valid Critical severity reports. This reward pool is split among all Critical bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is Critical severity. If no Critical severity bugs are found then this reward pool is not distributed.
Highs Reward Pool
The $50,000 USD Highs reward pool is distributed among all valid High severity reports. This reward pool is split among all High bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is High severity. If no High severity bugs are found then this reward pool is not distributed.
Program Overview
Audit Competition Overview
A total of $400,000 USD in rewards is available in this audit competition. A baseline reward pool of $50,000 USD will be distributed among participants even if no valid bugs are found. For this audit competition, duplicates and private known issues are valid for a reward.
DeGate will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to DeGate or Immunefi in the DeGate Audit Competition Discord channel.
When the audit competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.
DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition. DeGate is most interested in bugs in how their new contracts were deployed and how they interact with their protocol.
A high level overview of the code which is in scope for this audit competition can be found here: https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143
Only the proxies themselves are in scope for this audit competition. Bugs in the implementation contracts are out of scope, but are valid for a reward in DeGate's normal bug bounty program, and should be submitted there instead.
Project Overview
DeGate is a decentralized orderbook exchange (DEX) built on the Ethereum blockchain that utilizes zero-knowledge technology. DeGate DEX offers spot market trading with limit orders and also offers a grid trading function.
DeGate operates as a decentralized autonomous organization (DAO). The DEX platform is focused on being user-friendly and is built on the principle of Trustlessness. With DeGate’s unique Efficient Gas Saving technology, users can expect super-low gas fees while using a decentralized protocol. Another critical component of DeGate is the Permissionless Listing feature which enables any token to be listed in a permissionless manner on DeGate’s orderbook DEX.
For more information about DeGate, visit https://docs.degate.com
KYC not required
No KYC information is required for payout processing.
Proof of Concept
Proof of concept is always required for all severities.
Prohibited Activities
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Any other actions prohibited by the Immunefi Rules
Feasibility Limitations
The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity. Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.