While waiting for an audit from Open Zeppelin, Trail of Bits, or Quantstamp; we'd like to be prudent and do our best to catch issues before real money is on the line.
You can make money by reporting bugs, and additional money by including pull requests with fixes. The bounty program is set up in two parts:
- Engineering Issues (Software Bug Exploits)
- Design Issues (Economic Exploits)
(Software Bug Exploits)
We’re running a bug bounty indefinitely to reward bug discovery and reporting on specific Solidity smart contracts, with rewards up to $25000 in non-expiring uAD coupons, redeemable as per the protocol’s standard ruleset.
The value of rewards will vary depending on severity as judged by the Ubiquity team. Severity is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign.
Payouts are available in uDEBT tokens, which are redeemable when the largest market price for uAD-3CRV is above $1.00. We can discuss special payment accommodations if required in other stablecoins, but we will be paying less than the below listed dollar value in other tokens.
Thanks for the tip. We'll make a note of it!
Several of these would damage Ubiquity's credibility with the community.
One of these would damage Ubiquity's credibility with the community.
- Bounties go to the first report.
- Don’t steal or attempt to steal others funds.
- Don’t publicly disclose a bug before it has been fixed.
- Paid auditors of this code are not eligible for rewards.
- Public disclosure of the vulnerability, before explicit consent from Ubiquity to do so, will make the vulnerability ineligible for a bounty.
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ubiquity team.
- Any frontend applications or client-side code interacting with the contracts, as well as testing code.
- Mismatch of the functionality of the contracts and outdated spec documents.
- Findings derived primarily from social engineering (e.g. phishing, etc)
- Non-security critical issues (e.g. style or gas optimizations) are ineligible.
- Findings from applications or systems not listed in the ‘Scope’ section
- UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
- Network-level Denial of Service (DoS/DDoS) vulnerabilities
- Spam or Social Engineering techniques, including SPF and DKIM issues
- Security bugs in third-party applications or services
- XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
- Login/Logout CSRF-XSS • https/ssl or server-info disclosure related issues
- Brute Forces attacks
- Loss of assets
- A user / or the protocol loses assets in a way that they did not explicitly authorize
- A user / or the protocol authorized a transaction but spends more assets than normally expected (e.g an order is allowed to be over-filled).
- Unintended contract state
- A user is able to update the state of a contract such that it is no longer useable
- Any assets get unexpectedly "stuck" in a contract with regular use of the contract's public methods.
- Incorrect math calculations
- Overflows or underflow result in unexpected behaviour.
- Reward payouts are incorrect.
How to Report a Security Vulnerability:
- Description of the location and potential impact of the vulnerability
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
- Your name/handle and a link for recognition in our recognition Hall of Fame (Twitter, Reddit, Facebook, HackerOne, etc)
- Let us know on our Discord
The scope of the bug bounty is limited to the following contracts, deployed on the Ropsten testnet:
- TWAPOracle - addr - Contract Source Code - A TWAP oracle implemented to work with Curve’s StableSwap meta pools.
- UbiquityAlgorithmicDollarManager - addr - Contract Source Code - A central configuration and access control manager for the uAD system.
- BondingShare - addr - Contract Source Code - ERC20 token that users get after depositing their uAD into the Bonding contract.
- Bonding - addr - Contract Source Code - The main contract that users will interact with to bond their uAD tokens, and later redeem the received bonding shares to get uAD back.
- DebtCoupon - addr - - A coupon redeemable for dollars, implemented as an ERC1155 token where the token ID is the expiry block number.
- DebtCouponManager - addr - Contract Source Code - Implements and controls the debt issuing and redemption mechanism for coupon holders.
- ExcessDollarsDistributor - addr - Contract Source Code - An excess dollar distributor that sends dollars to the treasury, LP rewards, and inflation rewards.
- UbiquityAlgorithmicDollar - addr - Contract Source Code - Implementation of the ERC20 compliant uAD token.
During a period of X days between XXX and XXX, the protocol will be deployed on the Ropsten testnet and will be open for experimentation. During this time a leaderboard will be formed with the contacts who have earned the most uAD during this time period, per ETH spent.
The top 3 earners in the leaderboard will receive rewards as follows:
- 1st place XX in coupons
- 2nd place XX in coupons
- 3rd place XX in coupons
- In order to be eligible for the rewards, participants must disclose their strategy in full + all addresses used in the process.
- The goal of the exercise is to determine economic exploits, and not to determine who has the most funds on the Kovan testnet. As such:
- Entries which rely on huge amounts of ETH will not be scored highly
- Entries which are applicable only at very minor scale, will not be scored highly
- As a continuation of the above point, the highest-rated entries will be the ones which have realised the most RoI while also having a non-trivial amount of uAD at the end (e.g. > 1000)
- The funds need to be obtained via the normal functioning of the system (e.g. not via bugs). If any bugs are found - they are eligible for the bg bounty report.
- Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Ubiquity team.
- The harvest attack/arbitrage that exploited/leveraged Curve's pool oracle (Deep Analysis on Harvest Attack)
- Reentrancy Attacks - Exploiting any functions that should send tokens. (Reentrancy Attack On Smart Contracts: How To Identify The Exploitable And An Example Of An Attack Contract).
- DoS Attacks - Making any of the contracts irresponsive or get tokens locked indefinitely. See Parity Multisig Wallet (Second Hack) and King of the Ether Post-Mortem.
- Front-Running the interactions with the bonding and debt coupon contracts. That is, front-running bonding the uAD token and redeeming the bonding shares, and also the exchange between uAD and uDEBT coupons.