Minswap Stableswap Bug Bounty

TLDR: The Minswap Stableswap code has been completed and audited. As a next step, we are conducting a Bug Bounty program before deployment. Find all the details below!

Introduction

This document covers the scope of the vulnerabilities of the Bug Bounty Program and how to submit a bug. The aim of the program is to give developers in the Cardano community the chance to review the Stableswap code before it’s deployed on-chain.

We think it’s important for the Cardano community to establish best principles for deployment of Smart Contracts. This starts by open-sourcing code before it’s deployed, as well as rewarding those developers in the community who alert us to vulnerabilities in the code prior to deployment.

The Minswap Stableswap is a Catalyst Funded product and so is this Bug Bounty. The Bug Bounty budget is of $12,000 and Bug Bounty rewards will be distributed according to the severity of the found vulnerabilities and the likelihood of the bug being triggered or exploited. Reward size is nominated in USD, but payouts will be made in ADA according to the price of ADA at the payout time.

The Duration of the Bug Bounty will be of 4 weeks, the last day to submit a bug will be February 14th, 2024.

Eligibility Requirements and Policies

To be eligible for a reward under this Program, you must:

• Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
• Be the first to disclose the unique vulnerability in compliance with the disclosure requirements.
• Provide sufficient information to enable our engineers to reproduce the bug.
• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
• Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
• Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
• Not engage in any unlawful conduct when disclosing the bug including through threats, demands, or any other coercive tactics.

To be eligible for a reward, you must provide:

• Short description of the vulnerability and the reproduction steps.
• Suggestions of how to fix the vulnerability.
• How to submit: The form in which vulnerabilities are to be submitted is via email to security@minswap.org. Please attach your Discord or Telegram username for Minswap Labs to reach out in case that is needed.

Classifying Vulnerabilities

Critical: any which impact many users and pose serious reputational or financial risks. Examples:

• Theft of user funds, LP tokens, protocol NFTs and functional tokens
• Unauthorized minting of protocol NFTs or LP tokens
• Permanent freezing of funds or smart contracts
• Protocol insolvency

High: any which impact individual users and pose moderate reputational or financial risks. Examples:

• Sandwich attacks
• Front-running trades

Medium: any which don’t pose financial risk to users. Examples:

• On-chain denial-of-service

Low: any which do not pose immediate risk but are relevant to security best practice.

• Contract fails to deliver promised returns, but doesn’t lose value

The rewards will be given based on the severity and likelihood of the bug being triggered. The classification of severity and rewards amount will be determined by the sole discretion of Minswap Labs. Rewards for duplicated bugs will be distributed in a First-come-first-served manner.

Assets In Scope

The assets in the list below are considered for bug bounty program rewards:

• Stableswap contracts Github Repo: https://github.com/minswap/minswap-stableswap
• Audit Report
• Testnet link: https://testnet-preprod.minswap.orgcv

The Bug Bounty Program will include vulnerabilities in the StableSwap contracts in our public GitHub repository. It will not include the issues that have already been discovered in the Audit Report.

If you find any critical vulnerabilities related to other areas that are not in the scope, Minswap Labs can also consider granting a bug bounty as well. However the budget will be different from the bug bounty for StableSwap contracts and determined by the discretion of the Minswap Labs.

Disclosure

The vulnerabilities must not be disclosed publicly or to any other entity before Minswap Labs has been notified, fixed the issue and granted permission for public disclosure. Once the vulnerabilities have been resolved, Minswap is also open to publicly recognizing the contributor if desired.

Appendix

Out of Scope Areas

The following vulnerabilities and areas that are not within the scope and:

• Self-exploited attacks that have led to damage.
• Bugs related to interface, API, off-chain bots, infrastructure, third-party integrations or any non contract related materials.
• Breaches related to leaked keys or credentials.
• Attacks threatening privileged addresses, e. g. governance, etc.
• Phishing or social engineering attacks against the protocol’s employees or users.
• Testing through third-party applications (e.g., browser extensions) or websites (e.g., SSO, advertising, etc.).
• DDoS attacks of Dapp interface or API.
• Automated testing that generates high amounts of traffic.

Prohibited practices

The following practices are not permitted:

• Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet.
• Any testing with pricing oracles or third-party smart contracts.
• Attempting phishing or other social engineering attacks against our employees and/or customers.
• Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
• Any denial of service attacks that are executed against project assets.
• Automated testing of services that generates significant amounts of traffic.
• Public disclosure of an unpatched vulnerability in an embargoed bounty.