Bitflow

Bitflow, a decentralized exchange (DEX) built on the Stacks blockchain, positioning itself as a key liquidity hub for Bitcoin DeFi users (traders, liquidity providers, and developers). Bitflow has a history of recreating battle tested DEX smart contracts in the Clarity smart contract language, as well as innovating with new designs such as the variable midpoint stableswap. In the past, Bitflow has delivered Curve style pools, Uniswap V2 style pools, and Jupiter style aggregator contracts for multi-dex swaps.

This BBP (bug bounty program) however will initially focus exclusively on a new orderbook style AMM that unlocks concentrated liquidity in the Stacks ecosystem. Bitflow calls this the HODLMM – High-throughput, Orderbook-style, Decentralized Liquidity Market Maker. Concentrated liquidity is much more efficient for traders and liquidity providers compared to legacy AMMs like the Uniswap V2 design, and this implementation draws inspiration from Trader Joe’s Liquidity Book AMM and Meteora’s DLMM designs. Over time, the scope may expand to include contracts for legacy AMMs and more peripheral contracts built on HODLMM

For more information about Bitflow, please visit https://www.bitflow.finance/

Bitflow provides rewards in STX on Stacks, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.

Primacy of Impact vs Primacy of Rules

Bitflow adheres to the Primacy of Impact for the following impacts:

• Smart Contract - Critical
• Smart Contract - High
• Web/App - Critical

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact

When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.

All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program.

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

Bitflow HODLMM Known Issues (Most here were acknowledged during Completed Audits)

• Pool Operations Lack Deadline Checks

  • Deadlines allow users to specify the time by which the operation must be executed otherwise it would be invalid.

• Pool verification status set during pool creation, and allows unverified pools to exist

  • Even though they can’t be verified, in theory malicious pools contracts can still be deployed and swapped through via core. This is intentional to ensure that permissionless pool creation is possible when public pool creation is enabled. Note that liquidity remains isolated in each pool contract.

• Verified pools can still contain malicious tokens

  • Malicious tokens can therefore be swapped through core or peripheral routers
  • At scale, there is no way to check on-chain for whether or not a token is malicious during pool creation (unlike template pool contracts that can be compared to a hash of the code body).
  • Peripheral router contracts could be built on top to maintain a list of verified tokens (separate from core) to add more protection to user’s swaps and liquidity provision.

• Avoid using ‘tx-sender’ for Caller Authorization

• Throughout the codebase there are instances where tx-sender is used instead of contract-caller or passing the caller address. By doing this, users that fall to phishing scams and interact with malicious contracts can unwittingly interact with the codebase and execute sensitive operations. By using contract-caller, we lose composability for more peripheral contracts to be built on top; tx-sender allows for that which means that phishing is possible. Users looking out for post conditions will also help mitigate risk of phishing attacks.

• Variable Fee Design Choices

  • The current variable fee is intended to serve as a volatility fee, where many bin changes in recent blocks will result in increased variable fee, which can also be reset or reduced.
  • The pool uses specific data points to calculate the fee. Admins can calculate off-chain the fee and set the fees via a set-variable-fees call, with the intent that in the future, a peripheral contract will update these via asynchronous calls.
  • With this design, multi-bin swaps can often precede a fee adjustment
  • Lower fee swaps can be frontrun if users see a fee-increase transaction in the mempool.
  • Users may be charged more than needed if the transactions to reset or lower the variable fees do not get confirmed before more swaps get confirmed
  • Users could be charged too high of a variable fee by a malicious admin that also deploys liquidity into a bin

• Absence of Preview Functions for Key Operations

  • Current implementation does not offer any mechanism of previewing operation results.
  • Intention is to create a peripheral contract with preview functions, one for each major operation in the core contract: swap-x-for-y, swap-y-for-x, add-liquidity, withdraw-liquidity, and move-liquidity

• Remove Redundant begin Blocks

  • Throughout the codebase, after let declarations, the implementation redundantly adds a begin block instead of just writing the next statements as it is normally allowed by the let block. This is done, redundantly in almost all contracts, all instances of begin code blocks can be removed.

• Bin steps can be added with wrong values and they cannot be updated/removed

  • With the ability to migrate to new core contracts, admins can upgrade with the corrected bin factors.

• Multi-bin swaps using favorable bins can actually lead to worse outcomes

  • A user can actually do worse when favorable bins are available because the capacity of those bins is not as high as they expected. The result is unexpected funds loss for the user. However, the user can prevent this by setting min-received correctly for each swap step. The unfavorable bin logic only compares the active bin ID to the expected bin ID, not bin balances or other factors. Bitflow calculates min-received per swap off-chain and enforces it on-chain. Thus, this was assessed by auditors as informational.

• Malicious core contract upgradability if an admin is compromised

  • A malicious admin could attempt to upgrade pools to use a new core contract
  • if original deployer or admin hasn’t frozen migration and hasn’t noticed within the cooldown period of at least 1 week.
  • In a previous design, Bitflow had no way to upgrade the core contract. The likelihood of needing to roll out a new version is eventually high.

• Implement Timelocks for Sensitive Configuration Changes

  • Admins can modify some configuration parameters at any time and changes take place immediately. This creates risk for existing users (including but not limited to: higher fees, disabling of swaps, etc)

Previous Audits

Bitflow’s completed audit reports can be found at https://docs.Bitflow.finance/Bitflow-documentation/resources/audits. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.