💰

Security Bounty Program

Ubiquity's Bounty Program

While waiting for an audit from Open Zeppelin, Trail of Bits, or Quantstamp; we'd like to be prudent and do our best to catch issues before real money is on the line.
 

Audits

CertiK

Overview

You can make money by reporting bugs, and additional money by including pull requests with fixes. The bounty program is set up in two parts:
  1. Engineering Issues (Software Bug Exploits)
  1. Design Issues (Economic Exploits)
Details below.

Engineering Issues

(Software Bug Exploits)
We’re running a bug bounty indefinitely to reward bug discovery and reporting on specific Solidity smart contracts, with rewards up to $25000 in non-expiring uAD coupons, redeemable as per the protocol’s standard ruleset.
The value of rewards will vary depending on severity as judged by the Ubiquity team. Severity is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign.
notion image

Bounties

notion image
Payouts are available in uDEBT tokens, which are redeemable when the largest market price for uAD-3CRV is above $1.00. We can discuss special payment accommodations if required in other stablecoins, but we will be paying less than the below listed dollar value in other tokens.
 
Tiers
Tier
Amount
Description
1000
Thanks for the tip. We'll make a note of it!
5000
Several of these would damage Ubiquity's credibility with the community.
10000
One of these would damage Ubiquity's credibility with the community.
10%
Generally involves the ability to drain a smart contract's token balance entirely, or the ability to mint infinite tokens; fast enough that it would be unrealistic for us to stop the attack midway. We'd end up on rekt for this one.

Bug Rules

  • Bounties go to the first report.
  • Don’t steal or attempt to steal others funds.
  • Don’t publicly disclose a bug before it has been fixed.
  • Paid auditors of this code are not eligible for rewards.
  • Public disclosure of the vulnerability, before explicit consent from Ubiquity to do so, will make the vulnerability ineligible for a bounty.
  • Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ubiquity team.

Out of Bounds

  • Any frontend applications or client-side code interacting with the contracts, as well as testing code.
  • Mismatch of the functionality of the contracts and outdated spec documents.
  • Findings derived primarily from social engineering (e.g. phishing, etc)
  • Non-security critical issues (e.g. style or gas optimizations) are ineligible.
  • Findings from applications or systems not listed in the ‘Scope’ section
  • UI/UX bugs, Data entry errors, spelling mistakes, typos, etc
  • Network-level Denial of Service (DoS/DDoS) vulnerabilities
  • Spam or Social Engineering techniques, including SPF and DKIM issues
  • Security bugs in third-party applications or services
  • XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)
  • Login/Logout CSRF-XSS • https/ssl or server-info disclosure related issues
  • Brute Forces attacks

Areas of Interest

  • Loss of assets
    • A user / or the protocol loses assets in a way that they did not explicitly authorize
    • A user / or the protocol authorized a transaction but spends more assets than normally expected (e.g an order is allowed to be over-filled).
  • Unintended contract state
    • A user is able to update the state of a contract such that it is no longer useable
    • Any assets get unexpectedly "stuck" in a contract with regular use of the contract's public methods.
  • Incorrect math calculations
    • Overflows or underflow result in unexpected behaviour.
    • Reward payouts are incorrect.

Reporting

How to Report a Security Vulnerability:
  • Description of the location and potential impact of the vulnerability
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)
  • Your name/handle and a link for recognition in our recognition Hall of Fame (Twitter, Reddit, Facebook, HackerOne, etc)

Scope

notion image
The scope of the bug bounty is limited to the following contracts, deployed on the Ropsten testnet:
  • TWAPOracle - addr - Contract Source Code - A TWAP oracle implemented to work with Curve’s StableSwap meta pools.
  • UbiquityAlgorithmicDollarManager - addr - Contract Source Code - A central configuration and access control manager for the uAD system.
  • BondingShare - addr - Contract Source Code - ERC20 token that users get after depositing their uAD into the Bonding contract.
  • Bonding - addr - Contract Source Code - The main contract that users will interact with to bond their uAD tokens, and later redeem the received bonding shares to get uAD back.
  • DebtCoupon - addr - - A coupon redeemable for dollars, implemented as an ERC1155 token where the token ID is the expiry block number.
  • DebtCouponManager - addr - Contract Source Code - Implements and controls the debt issuing and redemption mechanism for coupon holders.
  • ExcessDollarsDistributor - addr - Contract Source Code - An excess dollar distributor that sends dollars to the treasury, LP rewards, and inflation rewards.
  • UbiquityAlgorithmicDollar - addr - Contract Source Code - Implementation of the ERC20 compliant uAD token.

Design Issues

(Economic Exploits)
notion image
During a period of X days between XXX and XXX, the protocol will be deployed on the Ropsten testnet and will be open for experimentation. During this time a leaderboard will be formed with the contacts who have earned the most uAD during this time period, per ETH spent.
The top 3 earners in the leaderboard will receive rewards as follows:
  • 1st place XX in coupons
  • 2nd place XX in coupons
  • 3rd place XX in coupons

Rules

  • In order to be eligible for the rewards, participants must disclose their strategy in full + all addresses used in the process.
  • The goal of the exercise is to determine economic exploits, and not to determine who has the most funds on the Kovan testnet. As such:
    • Entries which rely on huge amounts of ETH will not be scored highly
    • Entries which are applicable only at very minor scale, will not be scored highly
  • As a continuation of the above point, the highest-rated entries will be the ones which have realised the most RoI while also having a non-trivial amount of uAD at the end (e.g. > 1000)
  • The funds need to be obtained via the normal functioning of the system (e.g. not via bugs). If any bugs are found - they are eligible for the bg bounty report.
  • Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Ubiquity team.

Inspiration

  • Front-Running the interactions with the bonding and debt coupon contracts. That is, front-running bonding the uAD token and redeeming the bonding shares, and also the exchange between uAD and uDEBT coupons.
 
See also: