Audit Comp | DeGate-logo

Audit Comp | DeGate

DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition

ETH
Defi
Exchange
Asset Management
DEX
L2
C/C++
Go
Solidity

Status

Finished
Rewards Pool
$50,000
Vault TVL
To be determined
Started
20 November 2023
Ended
04 December 2023
Rewards Token
USDC
nSLOC
500
  • Triaged by Immunefi

  • PoC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Smart Contract - Timelock for DepositContractProxy
Added on
20 November 2023
Target
Type
Smart Contract - Timelock for ExchangeProxy
Added on
20 November 2023
Target
Type
Smart Contract - DepositContractProxy
Added on
20 November 2023
Target
Type
Smart Contract - ExchangeProxy
Added on
20 November 2023
Target
Type
Smart Contract - Gnosis Multisig
Added on
20 November 2023

Impacts in Scope

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

List of ERC20, ERC721, and ERC777 that DeGate Can Interact With:

  • DeGate is permissionless and can interact with all ERC20s. However, impacts involving balance changes and authority freezes caused by the token contract itself are out of scope, such as rebase tokens
  • ERC721 and ERC777 are incompatible with DeGate

Validity of bugs dependent on 100% trusted actors or privileged addresses:

  • DeGate is built on the principle of Trustlessness, or ‘Can’t do evil’. Impacts due to the unintended functions of an Operator are especially valuable and valid for a reward.
  • DeGate is interested in all impacts caused by the unintended functionality of multisig owners. Such bugs are in scope and valid for a reward, with the exception of impacts dependent on the multisig owners proposing new malicious code that will only implement after a 45 day delay.

Repeatable Attack Limitations

  • If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.
  • For critical repeatable attacks on smart contracts that can not be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Severity
Critical
Title

Direct theft of funds exceeding 1,000,000 USD from the Default Deposit Contract

Severity
Critical
Title

Permanent freezing of funds exceeding 2,500,000 USD in the Default Deposit Contract.

Severity
High
Title

Theft of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator.

Severity
High
Title

Permanent freezing of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator.

Severity
High
Title

Direct theft of user funds from the Default Deposit Contract that is less than 1,000,000 USD.

Severity
High
Title

Permanent freezing of funds in the Default Deposit Contract that is less than 2,500,000 USD.

Severity
High
Title

Force DeGate into Exodus Mode

Severity
High
Title

Impact of this malicious contract verification through zk-proof

Severity
High
Title

The amount of tokens in the L2 is inconsistent with that of the L1, except for Non-Standard tokens (Zero Knowledge Proof Circuit)

Severity
High
Title

Climbing blocks fails to recovery the asset tree (Zero Knowledge Proof Circuit)

Severity
High
Title

Temporary freezing of funds: Minimum freezing of 15 days (Zero Knowledge Proof Circuit)

Severity
High
Title

Prevent new token from registering (Zero Knowledge Proof Circuit)

Out of scope

Program's Out of Scope information

These impacts are out of scope for this bug bounty program.

All Categories:

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program

Blockchain/DLT & Smart Contract Specific:

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks
  • Impacts involving balance changes and authority freezes caused by the token contract itself, such as rebase tokens
  • Impacts involving the need to use more than 300 ETH in gas fees to force entry into Exodus Mode through block stuffing, storage occupation, or executing other potential economic attacks.

Prohibited Activities:

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty

Responsible Publication

Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:

  • Out-of-scope bugs which are in-scope for DeGate’s normal bug bounty program may not be published. Such bug reports are to be submitted to DeGate’s normal bug bounty program.
  • Bug reports in mediation may not be published until mediation has concluded.

Immunefi may publish bug reports submitted to this audit competition.