Autonomy
Submit a BugProgram Overview
Autonomy Network is an off-the-shelf generalized automation solution, empowering the Web3 with on-chain conditional execution. A decentralized network built on users, executors and the blockchain. It’s a B2B infrastructure tool used by dapps to add features, like limit orders, stop losses, and impermanent loss prevention.
For more information about Autonomy Network, please visit https://www.autonomynetwork.io/.
This bug bounty program is focused on their smart contracts and is focused on preventing:
- Theft or loss of value of funds on any contract
- Attack that would modify or change the requirements of an order
- Attack that would invalidate the execution of an order
- Dos for order executing bots
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
All Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All High and Medium Smart Contract bug reports require a suggestion for a fix to be eligible for a reward.
In addition to Immunefi’s Vulnerability Severity Classification System, Autonomy Network classifies the following vulnerabilities as follows. In case of discrepancy, the one below will be followed.
Critical
- Theft or loss of value of funds on any contract
High
- Attack that would modify or change the requirements of an order
Medium
- Attack that would invalidate the execution of an order
Low
- Dos for order executing bots
The following vulnerabilities are not eligible for a reward:
‘Miner’ contract in https://github.com/Autonomy-Network/autonomy-contracts
Issues addressed in https://github.com/HashEx/public_audits/blob/master/autonomy/Autonomy%20report.pdf
Issues addressed in https://drive.google.com/drive/folders/1eg3OeaHRT0NcyV6IpAlwZhvhU6mZoBDG?usp=sharing
Executors can choose not to execute and essentially censor requests from execution temporarily
Executors can uniquely frontrun limit orders
The
owner
can change the oracle price, and change the default token used to pay etc, which affect usersThe gas refunded is not the correct amount
Requests can be spammed and fill up the Registry
Overflows can occur from user-inputted value, such as in the line
uniArgs.amountOutMax * tradeInput / msg.value
Users can waste the gas of executors by making them think something is executable, then frontrunning it to make it not executable
An executor can manipulate when an order is triggerable by taking out a flash loan and moving the market before the execution in but in the same transaction
Payouts are handled by the Autonomy Network team directly and are denominated in USD. However, payouts are done in USDT, DAI or ETH, with the choice of the ratio at the discretion of the team.
Smart Contract
- Critical
- Level
- USD $50,000
- Payout
- High
- Level
- USD $15,000
- Payout
- Medium
- Level
- USD $5,000
- Payout
- Low
- Level
- USD $1,000
- Payout
Assets in scope
- Smart Contract - PriceOracleType
- Smart Contract - OracleType
- Smart Contract - StakeManagerType
- Smart Contract - Forwarder (user forwarder)Type
- Smart Contract - Forwarder (fee forwarder)Type
- Smart Contract - Forwarder (user fee forwarder)Type
- Smart Contract - RegistryType
- Smart Contract - TimelockType
- Smart Contract - UniV2LimitsStopsType
All smart contracts of Autonomy Network can be found at https://github.com/Autonomy-Network/autonomy-contracts
and
https://github.com/Autonomy-Network/uniV2-limits-stops/tree/eth-to-avax-names-2 . However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Critical Smart Contract ImpactCriticalImpact
- High Smart Contract ImpactHighImpact
- Medium Smart Contract ImpactMediumImpact
- Low Smart Contract ImpactLowImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
Smart Contracts and Blockchain
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited by this bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty