Audit Comp | DeGate

Assets in Scope

All impacts resulting from the introduction of the in code listed in scope are in scope for this audit competition.

All impacts not resulting from the introduction of the code listed in scope should be submitted to DeGate’s normal bug bounty program instead.

Impacts on test files, mock files, and configuration files are out of scope, unless stated otherwise in the bug bounty program. Timelock contracts source code (a fork from Compound): https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/timelock

Upgradability contracts source code: https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/contracts/thirdparty/proxies

Documentation directly pertaining to the in scope code can be found at: https://github.com/degatedev/protocols/commit/180138015197c886ec3c87efa8bf0031b653359f#commitcomment-132582143

Further Resources

DeGate is especially interested in bugs in how this new code interacts with their older code.

All DeGate’s smart contract code, including out of scope smart contract code, can be found at https://github.com/degatedev/protocols/tree/degate1.1.0/packages/loopring_v3/contracts, along with the Protocol Specification Docs, Circuit Design Docs and Smart Contract Design Docs.

DeGate Testnet is currently live on https://testnet.degate.com, and more details can be found in the product documentation (https://docs.degate.com/v/product_en/readme ).

To ask DeGate or Immunefi questions directly, join the DeGate Audit Competition Discord channel.

Previous Audits & Known Issues

Private known issues, meaning known issues which were not publicly disclosed, are valid for a partial reward. If a bug found during the event requires an immediate fix then that bug will be considered a publicly known issue as soon as the fix is deployed. DeGate’s completed audit reports and known issues can be found at:

• Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Trailofbits%20-%20DeGate%20Final%20Audit%20Report.pdf
• Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Least%20Authority%20-%20DeGate%20DAO%20DeGate%20Smart%20Contracts%20Updated%20Final%20Audit%20Report.pdf
• Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/Least%20Authority%20-%20DeGate%20Technology%20DeGate%20zk-SNARK%20Circuit%20Final%20Audit%20Report.pdf
• Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/DeGate_Report_EN-final2023.pdf
• Previous Code: https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/DeGate_Report_EN-final20230912.pdf
• Latest Code: https://github.com/degatedev/protocols/blob/degate1.1.0/packages/loopring_v3/security_audit/DeGate_Report_EN-20231115.pdf

Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Known Issue Assurance

DeGate commits to providing Known Issue Assurance to bug submissions through their program. This means that DeGate will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.

In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in scope, and due a reward.

Primacy of Impact vs Primacy of Rules

This timeboxed bug bounty adheres to the Primacy of Rules, which means that the whole timeboxed bug bounty program is run strictly under the terms stated on this page.

If your bug report demonstrates an impact which does not originate from or depend on the assets in scope of this timeboxed bug bounty program then it may be valid for a reward on DeGate’s normal bug bounty program, which utilizes Primacy of Impact.