Triaged by Immunefi
Step-by-step PoC Required
KYC required
Select the category you'd like to explore
Assets in Scope
This is an invite-only audit competition. Therefore, in-scope assets are not publicly available.
Impacts in Scope
Build Commands, Test Commands, and How to Run Them
Included in repo readme
Previous Audits
Paradex’s completed audit reports can be found at https://github.com/Cairo-Security-Clan/Audit-Portfolio/blob/main/Paradex_Audit_Report.pdf. Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
L1 Bridge contract is a fork of starknet’s starkgate bridge with some minor additions. Their audits are:
- https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/Starknet_Core_Summary_Report_Sept_2022.pdf
- https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2023.pdf
- https://github.com/tradeparadex/paradex-docs/blob/main/fern/assets/StarkGate_Oct_2024.pdf
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.
Optional Project Info
Is this an upgrade of an existing system? If so, which? And what are the main differences?
Mainnet is currently running a slightly newer version of the code that’s being audited.
Starkgate contract is running exactly the same as the repo on mainnet
Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?
Attack Vectors:
- Stealing User Funds / Unauthorized fund transfers
- Market Manipulation
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?
ERC20
Which chains and/or networks will the code in scope be deployed to?
We currently run on a starknet app chain
What external dependencies are there?
Openzeppelin, Alexandria Data Structures
Are there any unusual points about your protocol that may confuse Security Researchers?
Potentially, the way some transfer restrictions are implemented and some of the functionalities implemented on Vaults can be quite complex
What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds for at least 24 hour
Smart contract unable to operate due to lack of token funds
Block stuffing
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Temporary freezing of funds for at least 1 hour
Contract fails to deliver promised returns, but doesn't lose value
Theft of gas
Out of scope
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers