Bug Bounty Findings and Compensation
At Minswap Labs, we are unwavering in our commitment to building a secure, trustworthy, and robust DeFi ecosystem on the Cardano blockchain. This has been demonstrated in our approach towards Minswap V2 launch. As part of the Catalyst Funded Minswap Aiken V2 Audit, the Smart contract code was audited twice, and the code was open sourced 1 month before the launch to let any developers and users have a look before deployment. Below, we inform the community on the 2 minor bugs that were found, how they were addressed and the compensation for it.
Bug Bounty Findings
- Token Dust Attack on Factory UTxO: the validate_factory just checked for the presence of Factory NFT in the outputs being returned to it. This allowed the addition of dust tokens to Factory UTxOs. Depending on costing parameters, this could either make it more expensive to insert a new pool or make transaction’s execution units greater than the script execution budget, which would prevent addition of new pools. Classified as Medium Severity.
- Use of Spend Validator as Stake Validator: The vulnerability arises when a specific type of script, called a “spend” script, is used as an authorized address. This type of script is supposed to take three parameters: a datum, a redeemer, and a script context. However, the system allows “spend” scripts to be used without specifying the expected type for the datum parameter. Classified as Minor Severity.
Bug Bounty Compensation
Bug Bounty compensation was executed according to the rules laid out in the original document.
- Medium Severity vulnerability: we would like to thank Micah founder at Butane Protocol for alerting us to this vulnerability. He was compensated with 7,500 ADA. Here is the transaction ID.
- Minor Severity vulnerability: we would like to thank Micrograx developer at TxPipe for alerting us to this vulnerability. He was compensated with 2,000 ADA. Here is the transaction ID.
Closing remarks
You can find more details about the vulnerabilities and verify their fixes in the respective commit hashes by reading the Audit Report by Anastasia Labs.
Only 9,500 ADA from the 99,000 ADA allocated was spent. Minswap Labs has decided to keep the Bug Bounty program ongoing. This means that if any vulnerabilities are discovered pertaining to Minswap V2 code and follow the rules of the Bug Bounty specifications, they will be rewarded from this allocation.
We at Minswap Labs are very proud of this best principles approach prioritizing security we followed for the launch of V2. It is a testament to our dedication to transparency, collaboration, and the highest standards of security. By leveraging the collective expertise of the Cardano developer community, we aimed to fortify Minswap V2 as much as possible against potential threats, ensuring the utmost protection for our users and their assets.