Audit Comp | DeGate-logo

Audit Comp | DeGate

DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition

ETH
Defi
Exchange
Asset Management
DEX
L2
C/C++
Go
Solidity

Status

Finished
Rewards Pool
$50,000
Vault TVL
To be determined
Started
20 November 2023
Ended
04 December 2023
Rewards Token
USDC
nSLOC
500
  • Triaged by Immunefi

  • PoC required

This Audit Competition Is Over

All paid bug reports are available in original format here.

Started
20 November 2023 16:00 UTC
Ended
04 December 2023 09:00 UTC

Rewards

Audit Comp | DeGate provides rewards in USDC on Ethereum, denominated in USD.

Rewards by Threat Level

Smart Contract
Critical
Pool of USD $300,000
High
Pool of USD $50,000
Medium
Pool of USD $50,000 (baseline)
Low
Pool of USD $50,000 (baseline)
All categories *
Insight
Portion of the Reward Pool

This audit competition has $400,000 USD in rewards split across 3 reward pools. $300,000 is allocated to the Criticals reward pool, $50,000 to the Highs reward pool, and $50,000 to the Baseline rewards pool.

Reward Payment Terms

Payouts are handled by the DeGate team directly and are denominated in USD. However, payouts are done in USDC.

Rewards will be distributed all at once after the event has concluded and the final bug reports have been resolved.

The following reward rules are a summary, for an in-depth explanation read our Reward Distribution Rules article. The reward mechanisms are designed to reward all high quality whitehat work, with the greatest rewards for Critical issues and unique findings.

Duplicate & Private Known Issue Reward Policy

Duplicate bug reports which are in-scope for this event are considered valid and will be rewarded in a Sybil-resistant manner. Attempts to abuse the duplicate reward policy will result in a ban and forfeit of all rewards. Private known issues, meaning bugs known to the project but not publicly disclosed, which are in scope for this event are considered valid and will be rewarded at a reduced rate of 25%.

Baseline Reward Pool

The $50,000 USD baseline reward pool is distributed among all participants. 80% is split among all valid report submissions based on the bug’s severity. 20% is distributed at Immunefi’s discretion to highly valuable reports, even if they’re technically invalid, and other significant contributions. The entire baseline reward pool will be distributed even if no valid bugs are found.

Criticals Reward Pool

The $300,000 USD Criticals reward pool is distributed among all valid Critical severity reports. This reward pool is split among all Critical bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is Critical severity. If no Critical severity bugs are found then this reward pool is not distributed.

Highs Reward Pool

The $50,000 USD Highs reward pool is distributed among all valid High severity reports. This reward pool is split among all High bug submissions with 80% going to the primary finder and 20% going to all other finders in a Sybil-resistant way. The primary finder is the first whitehat to demonstrate how the bug is High severity. If no High severity bugs are found then this reward pool is not distributed.

Program Overview

Audit Competition Overview

A total of $400,000 USD in rewards is available in this audit competition. A baseline reward pool of $50,000 USD will be distributed among participants even if no valid bugs are found. For this audit competition, duplicates and private known issues are valid for a reward.

DeGate will respond within 24 hours on weekdays to all bug reports. Any technical questions and support requests can be asked directly to DeGate or Immunefi in the DeGate Audit Competition Discord channel.

When the audit competition has ended Immunefi will publish an event-specific leaderboard and bug reports from the event.

DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition. DeGate is most interested in bugs in how their new contracts were deployed and how they interact with their protocol.

A high level overview of the code which is in scope for this audit competition can be found here: https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143

Only the proxies themselves are in scope for this audit competition. Bugs in the implementation contracts are out of scope, but are valid for a reward in DeGate's normal bug bounty program, and should be submitted there instead.

Project Overview

DeGate is a decentralized orderbook exchange (DEX) built on the Ethereum blockchain that utilizes zero-knowledge technology. DeGate DEX offers spot market trading with limit orders and also offers a grid trading function.

DeGate operates as a decentralized autonomous organization (DAO). The DEX platform is focused on being user-friendly and is built on the principle of Trustlessness. With DeGate’s unique Efficient Gas Saving technology, users can expect super-low gas fees while using a decentralized protocol. Another critical component of DeGate is the Permissionless Listing feature which enables any token to be listed in a permissionless manner on DeGate’s orderbook DEX.

For more information about DeGate, visit https://docs.degate.com

KYC not required

No KYC information is required for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity. Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.