Audit Comp | DeGate
DeGate deployed approximately 500 nSLOC designed to allow them to upgrade their contracts. This new code is the target of this audit competition
Status
Triaged by Immunefi
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Proof of Concept (PoC) Requirements
A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.
List of ERC20, ERC721, and ERC777 that DeGate Can Interact With:
- DeGate is permissionless and can interact with all ERC20s. However, impacts involving balance changes and authority freezes caused by the token contract itself are out of scope, such as rebase tokens
- ERC721 and ERC777 are incompatible with DeGate
Validity of bugs dependent on 100% trusted actors or privileged addresses:
- DeGate is built on the principle of Trustlessness, or ‘Can’t do evil’. Impacts due to the unintended functions of an Operator are especially valuable and valid for a reward.
- DeGate is interested in all impacts caused by the unintended functionality of multisig owners. Such bugs are in scope and valid for a reward, with the exception of impacts dependent on the multisig owners proposing new malicious code that will only implement after a 45 day delay.
Repeatable Attack Limitations
- If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attacks within the first hour will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.
- For critical repeatable attacks on smart contracts that can not be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.
Feasibility Limitations
The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.
Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.
Direct theft of funds exceeding 1,000,000 USD from the Default Deposit Contract
Permanent freezing of funds exceeding 2,500,000 USD in the Default Deposit Contract.
Theft of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator.
Permanent freezing of funds from the Default Deposit Contract that requires malicious actions from the DeGate Operator.
Direct theft of user funds from the Default Deposit Contract that is less than 1,000,000 USD.
Permanent freezing of funds in the Default Deposit Contract that is less than 2,500,000 USD.
Force DeGate into Exodus Mode
Impact of this malicious contract verification through zk-proof
The amount of tokens in the L2 is inconsistent with that of the L1, except for Non-Standard tokens (Zero Knowledge Proof Circuit)
Climbing blocks fails to recovery the asset tree (Zero Knowledge Proof Circuit)
Temporary freezing of funds: Minimum freezing of 15 days (Zero Knowledge Proof Circuit)
Prevent new token from registering (Zero Knowledge Proof Circuit)
Out of scope
These impacts are out of scope for this bug bounty program.
All Categories:
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Blockchain/DLT & Smart Contract Specific:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
- Impacts involving balance changes and authority freezes caused by the token contract itself, such as rebase tokens
- Impacts involving the need to use more than 300 ETH in gas fees to force entry into Exodus Mode through block stuffing, storage occupation, or executing other potential economic attacks.
Prohibited Activities:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Responsible Publication
Whitehats may publish their bug reports after they have been fixed & paid, or closed as invalid, with the following exceptions:
- Out-of-scope bugs which are in-scope for DeGate’s normal bug bounty program may not be published. Such bug reports are to be submitted to DeGate’s normal bug bounty program.
- Bug reports in mediation may not be published until mediation has concluded.
Immunefi may publish bug reports submitted to this audit competition.