Mars Ecosystem

The fundamental issue within most current stablecoin protocols is positive externality. The cost of producing and maintaining stablecoins are incurred by the protocol and its users (minters, share holders, bond holders). Whereas the majority of the value comes from the transaction The fundamental issue within most current stablecoin protocols is positive externality. The cost of stablecoins within DeFi primitives and is captured by these DeFi primitives.

Mars Ecosystem solves this problem by integrating the creation and the use of stablecoin into one stable yet decentralized ecosystem. The relationship between Mars Stablecoin and Mars DeFi platform creates a positive feedback loop and generates a flywheel effect.

Mars Stablecoin (USDm) is price stable, capital efficient, scalable and decentralized. It is an over-backed stablecoin: the redeemability of USDm is backed by the Mars Ecosystem Governance Token (XMS). The market cap of XMS is always multiple times the market cap of Mars Stablecoin which ensures that the stablecoin can be redeemed 1:1 at any given time.

Mars Swap provides liquidity between Mars Stablecoin and all the other tokens, making USDM the ideal medium of exchange and store of value for DeFi. The incurred transaction fees generated at Mars Swap are used to back the stability of Mars Stablecoin.

For more information about Mars Ecosystem, please visit https://marsecosystem.com/.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System 3.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Bugs reported in the following audits are not eligible for a reward:

• SlowMist Audit
• CertiK Audit

Payouts are handled by the Mars Ecosystem team directly and are denominated in USD. However, payouts are done in XMS or BUSD, at the discretion of the team.

All smart contracts of Mars Ecosystem can be found at https://github.com/MarsEcosystem. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

SMART CONTRACT

Theft of user funds: is a worst case scenario for a project. An example of in-motion funds is a swap. A user is transferring funds to the contract with the full expectation to exchange them for an equivalent value of another asset. If an attacker can manipulate the system in such a way that a user incurs losses during the transfer and the attacker profits, this is considered direct theft of user funds. If users are losing their stake, principal, vault balances, etc, that is theft of user funds.

Permanent Freezing of funds: This includes bricking a contract which holds tokens so that a user is no longer able to withdraw their funds. It may also include burning of funds so that they can no longer be accessed by the owner. This also includes things like self-destructing implementation contracts so that the proxy becomes useless. The impact here is that funds within a system are no longer accessible.

Protocol Insolvency: Some protocols provide yield to some users that is paid by other users (e.g. Compound lenders are owed yield that is provided by borrowers). An error in this calculation could result in the amount owed to users exceeding the amount owed by other users. This is insolvency. Alternatively, the protocol could have debts that exceed its assets in other ways. Of course this does not include "bank run" situations where it’s temporarily not possible to withdraw money from the protocol, but the protocol is otherwise adequately collateralized

Theft of Unclaimed Yield: A yield is any asset distributed as a reward for participation in a system. Any theft of these rewards before they are distributed or claimed is classified as theft of an unclaimed yield.

Permanent Freezing of Unclaimed Yield: A yield is any asset distributed as a reward for participation in a system. Whenever an attacker can prevent the yield from being able to move from the contract, for example by making the harvest() function always fail, this would mean the yield is permanently frozen.

Temporary Freezing of Funds: This classification refers to temporary freezing of funds belonging to the protocol or another user, which the attacker does not own. There may be an amount of time or number of blocks which is in an acceptable range of operation for a project and is therefore excluded from consideration under this impact; however, this range of operation should be kept as short as possible because attacker locked funds can significantly impact user experience and cause rippling issues for a protocol. If an attacker needs to submit many costly transactions to achieve this impact, it is instead "Griefing" and is classified as "Medium".

Smart contract unable to operate due to lack of token funds: This classification refers to bugs that mark the smart contract as unable to operate or work correctly due to lack of token funds. There may be cases where the smart contract cannot pay out any rewards for staked tokens because the contract doesn't hold any funds or won't accept any reimbursements. Another example would be the LINK token required to pay for certain Chainlink services. If those services are required for proper function of the system and it's possible (or likely) for the funds to be depleted, that would be a vulnerability.

Unbounded gas consumption: Any looping done over an arbitrarily sized array may be vulnerable to unbounded gas consumption. If an attacker can add enough items to cause the gas used to call the function to exceed the block gas limit, it can result in a denial of service attack and prevent the function from being called.

WEBSITES AND APPLICATIONS

Execute arbitrary system commands This impact refers to a security vulnerability in a website or application that allows an attacker to execute arbitrary commands on the underlying system. This type of vulnerability is often called arbitrary command injection. The impact of this vulnerability can be severe, as it provides the attacker with the ability to perform unauthorized actions on the affected system like Remote Command Execution (RCE).

Retrieve sensitive data/files from a running server This impact allows an attacker to access and retrieve sensitive data or files from the affected server. This type of vulnerability is often called "information disclosure" or "data leakage." The impact of this vulnerability can be significant, as it exposes sensitive information that can be used for malicious purposes or further attacks.

Taking down the application/website An attack that results in the disruption or complete unavailability of a website or application. This impact is different from DoS as it only refers to a vulnerability found in the application logic/code. When a website or application is taken down, it affects the user experience and the ability of users to access services and resources provided by the affected application. This can lead to customer dissatisfaction and potential loss of revenue for businesses that rely on the availability of their online services. The longer the downtime, the greater the potential negative impact on both users and the organization behind the website or application.

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user The attacker found a way to bypass the access control protection and arbitrarily update the other data without any interaction requirement. An attacker is able to perform actions that modify the state of the system or the network on behalf of other users, without the users' knowledge or consent.

Subdomain takeover with already-connected wallet interaction This impact refers to a security vulnerability where an attacker gains control over a subdomain of a website or application, particularly one that interacts with users' connected cryptocurrency wallets. This takeover allows the attacker to manipulate the content and functionality of the subdomain, potentially leading to unauthorized interactions with the connected wallets.

Direct theft of user funds It refers to a security vulnerability or an attack that results in the unauthorized transfer or misappropriation of users' digital assets, such as cryptocurrencies or tokens, directly from their wallets or accounts. One way someone can do this is by making unauthorized calls on the RPC. RPC is a communication method used to interact with blockchain nodes for sending transactions, querying data, and performing other actions. If there is a vulnerability or misconfiguration in the RPC implementation, an attacker might exploit it to directly steal user funds.

Malicious interactions with an already-connected wallet

• Modifying transaction arguments or parameters The attacker found a way to substitute the contract address with a malicious contract address stored at the frontend level.

• Substituting contract addresses The attacker found a way to modify the parameters of the transaction calls made to the wallet connected to the front end.

• Submitting malicious transactions The attacker found a way to inject malicious javascript code into the frontend that could initiate a malicious transaction to the wallet connected to the frontend

Injecting/modifying the static content on the target application without Javascript (Persistent) The attacker discovered a method to persistently inject HTML code or plain text into the frontend, which could potentially deceive users visiting the frontend into providing sensitive keys, navigating to an external site controlled by the attacker, or falling for phishing

Subdomain takeover without already-connected wallet interaction The attacker found a way to claim or hijack the subdomain and inject a malicious code that could be used as a phishing vector for victims visiting the subdomain.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Protocol Risks Caused by BlockChain(BNB Chain) Vulnerabilities
• Sandwich attack during swap with the issues with victim leading to exploiting himself
• The residual unowned rewards in the contract is frozen
• Withdrawal of abnormally entered (such as direct transfer) assets through the contract public function
• Assets entered abnormally (such as direct transfer) cannot be withdrawn
• Issues with the LP contracts that are due to specific underlying tokens are not in scope.

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration
• Content spoofing / Text injection issues
• Self-XSS
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Attacks requiring privileged access from within the organization
• Feature requests
• Best practices
• Internal SSRF
• Path Traversal with no impact
• SPF/DKIM/DMARC Configuration Problems
• SSL misconfigurations
• SSL/TLS issues (weak crypto, improper setup)
• Clickjacking
• Misleading Unicode text (e.g. using right to left override characters)
• HTTP security headers
• Cache control issues

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third-party systems and applications (e.g., browser extensions) as well as websites (e.g., SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty