Security Bounty Program

Ubiquity's Bounty Program

Audits

CertiK

PRE-Ubiquity-2021-08-02.pdf

Overview

You can make money by reporting bugs, and additional money by including pull requests with fixes. The bounty program is set up in two parts:

Engineering Issues (Software Bug Exploits)

Design Issues (Economic Exploits)

Details below.

Engineering Issues

(Software Bug Exploits)

We’re running a bug bounty indefinitely to reward bug discovery and reporting on specific Solidity smart contracts, with rewards up to $25000 in non-expiring uAD coupons, redeemable as per the protocol’s standard ruleset.

The value of rewards will vary depending on severity as judged by the Ubiquity team. Severity is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign.

Bounties

Payouts are available in uCR tokens, which are redeemable when the largest liquidity market’s price for uAD-3CRV is above $1.00. We can discuss special payment accommodations if required in other stablecoins, but we will be paying less than the below listed dollar value in other tokens.

Tiers

Tier

Amount

Description

Low-Risk

1000

Thanks for the tip. We'll make a note of it!

Medium-Risk

5000

Several of these would damage Ubiquity's credibility with the community.

High-Risk

10000

One of these would damage Ubiquity's credibility with the community.

Critical-Risk

10%

Generally involves the ability to drain a smart contract's token balance entirely, or the ability to mint infinite tokens; fast enough that it would be unrealistic for us to stop the attack midway. We'd end up on rekt for this one.

Bug Rules

Bounties go to the first report.

Don’t steal or attempt to steal others funds.

Don’t publicly disclose a bug before it has been fixed.

Paid auditors of this code are not eligible for rewards.

Public disclosure of the vulnerability, before explicit consent from Ubiquity to do so, will make the vulnerability ineligible for a bounty.

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the Ubiquity team.

Out of Bounds

Any frontend applications or client-side code interacting with the contracts, as well as testing code.

Mismatch of the functionality of the contracts and outdated spec documents.

Findings derived primarily from social engineering (e.g. phishing, etc)

Non-security critical issues (e.g. style or gas optimizations) are ineligible.

Findings from applications or systems not listed in the ‘Scope’ section

UI/UX bugs, Data entry errors, spelling mistakes, typos, etc

Network-level Denial of Service (DoS/DDoS) vulnerabilities

Spam or Social Engineering techniques, including SPF and DKIM issues

Security bugs in third-party applications or services

XSS Exploits that do not pose a security risk to 'other' users (Self-XSS)

Brute Forces attacks

Areas of Interest

Loss of assets

A user / or the protocol loses assets in a way that they did not explicitly authorize
A user / or the protocol authorized a transaction but spends more assets than normally expected (e.g an order is allowed to be over-filled).

Unintended contract state

A user is able to update the state of a contract such that it is no longer useable
Any assets get unexpectedly "stuck" in a contract with regular use of the contract's public methods.

Incorrect math calculations

Overflows or underflow result in unexpected behaviour.
Reward payouts are incorrect.

Reporting

How to Report a Security Vulnerability:

Description of the location and potential impact of the vulnerability

A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us)

Your name/handle and a link for recognition in our recognition Hall of Fame (Twitter, Reddit, Facebook, HackerOne, etc)

Let us know on our Discord

Scope

The scope of the bug bounty is limited to the following contracts, deployed on the Goerli testnet:

See the smart contract addresses here.

Design Issues

(Economic Exploits)

Rules

In order to be eligible for the rewards, participants must disclose their strategy in full + all addresses used in the process.

The goal of the exercise is to determine economic exploits, and not to determine who has the most funds on the Goerli testnet. As such:

Entries which rely on huge amounts of ETH will not be scored highly
Entries which are applicable only at very minor scale, will not be scored highly

As a continuation of the above point, the highest-rated entries will be the ones which have realised the most ROI while also having a non-trivial amount of uAD at the end (e.g. > 1000)

The funds need to be obtained via the normal functioning of the system (e.g. not via bugs). If any bugs are found - they are eligible for the bounty report.

Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Ubiquity team.

Inspiration

Flash Loans (Attacking the DeFi Ecosystem with Flash Loans for Fun and Profit)

The harvest attack/arbitrage that exploited/leveraged Curve's pool oracle (Deep Analysis on Harvest Attack)

Reentrancy Attacks - Exploiting any functions that should send tokens. (Reentrancy Attack On Smart Contracts: How To Identify The Exploitable And An Example Of An Attack Contract).

DoS Attacks - Making any of the contracts irresponsive or get tokens locked indefinitely. See Parity Multisig Wallet (Second Hack) and King of the Ether Post-Mortem.

Front-Running the interactions with the bonding and debt coupon contracts. That is, front-running bonding the uAD token and redeeming the bonding shares, and also the exchange between uAD and uCR.