Minswap V2 Bug Bounty
Fortifying the Future of Cardano DeFi
TLDR: The Minswap V2 code has been completed and audited twice now. As a next step, Minswap Labs is conducting a Bug Bounty program before deployment. Find all the details on this program below!
Introduction
At Minswap Labs, we are unwavering in our commitment to building a secure, trustworthy, and robust DeFi ecosystem on the Cardano blockchain. As we prepare to launch Minswap V2, our next-generation platform, we recognize the paramount importance of identifying and addressing potential vulnerabilities before deployment. To that end, we are inviting the global community of security researchers, white hat hackers, and developers to participate in our comprehensive Bug Bounty Program.
This initiative is a testament to our dedication to transparency, collaboration, and the highest standards of security. By leveraging the collective expertise of the Cardano developer community, we aim to fortify Minswap V2 against potential threats, ensuring the utmost protection for our users and their assets.
The Bug Bounty is starting today with the release of this article and will last until June 30th. During this Phase, Audit Reports and Smart Contract Code will be open sourced and shared, community review and reporting of vulnerabilities will be incentivized.
Eligibility Requirements and Policies
To be eligible for a reward under this Program, you must:
- Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
- Be the first to disclose the unique vulnerability in compliance with the disclosure requirements.
- Provide sufficient information to enable our engineers to reproduce the bug.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not engage in any unlawful conduct when disclosing the bug including through threats, demands, or any other coercive tactics.
To be eligible for a reward, you must provide:
- Short description of the vulnerability and the reproduction steps.
- Suggestions of how to fix the vulnerability.
- How to submit: The form in which vulnerabilities are to be submitted is via email to security@minswap.org. Please attach your Discord or Telegram username for Minswap Labs to reach out in case that is needed.
Classifying Vulnerabilities
Critical: any which impact many users and pose serious reputational or financial risks. Examples:
- Theft of user funds, LP tokens, protocol NFTs and functional tokens
- Unauthorized minting of protocol NFTs or LP tokens
- Permanent freezing of funds or smart contracts
- Protocol insolvency
Reward: 30,000 ADA
Major: any which impact individual users and pose moderate reputational or financial risks. Examples:
- Sandwich attacks
- Front-running trades
Reward: 15,000 ADA
Medium: any which don’t pose financial risk to users. Example:
- On-chain denial-of-service
Reward: 7,500 ADA
Minor: any which do not pose immediate risk but are relevant to security best practice. Example:
- Contract fails to deliver promised returns, but doesn’t lose value
Reward: 2,000 ADA
Bugs submitted will be sorted by severity, then by time submitted and paid top-down until out of budget (99k ADA). Bug bounties that are beyond the budget will be decided at the team’s discretion.
Assets In Scope
The assets in the list below are considered for bug bounty program rewards:
- V2 contracts Github Repo: https://github.com/minswap/minswap-dex-v2
- Certik Audit: https://github.com/minswap/minswap-dex-v2/tree/main/audit-report/certik
- Anastasia Labs Audit: https://github.com/minswap/minswap-dex-v2/tree/main/audit-report/anastasia-labs
The Bug Bounty Program will include vulnerabilities in the V2 contracts in our public GitHub repository. It will not include the issues that have already been discovered in the Audit Report.
If you find any critical vulnerabilities related to other areas that are not in the scope, Minswap Labs can also consider granting a bug bounty as well. However the budget will be different from the bug bounty for V2 contracts and determined by the discretion of the Minswap Labs.
Disclosure
The vulnerabilities must not be disclosed publicly or to any other entity before Minswap Labs has been notified, fixed the issue and granted permission for public disclosure. Once the vulnerabilities have been resolved, Minswap is also open to publicly recognizing the contributor if desired.
Appendix
Out of Scope Areas
The following vulnerabilities and areas that are NOT within the scope:
- Self-exploited attacks that have led to damage.
- Bugs related to interface, API, off-chain bots, infrastructure, third-party integrations or any non contract related materials.
- Breaches related to leaked keys or credentials.
- Attacks threatening privileged addresses, e. g. governance, etc.
- Phishing or social engineering attacks against the protocol’s employees or users.
- Testing through third-party applications (e.g., browser extensions) or websites (e.g., SSO, advertising, etc.).
- DDoS attacks of Dapp interface or API.
- Automated testing that generates high amounts of traffic.
Prohibited practices
The following practices are NOT permitted:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet.
- Any testing with pricing oracles or third-party smart contracts.
- Attempting phishing or other social engineering attacks against our employees and/or customers.
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
- Any denial of service attacks that are executed against project assets.
- Automated testing of services that generate significant amounts of traffic.
- Public disclosure of an unpatched vulnerability in an embargoed bounty.
Conclusion
The Minswap V2 Bug Bounty Program represents our unwavering commitment to building a secure, resilient, and trustworthy DeFi ecosystem on the Cardano blockchain. By leveraging the collective expertise of the global cybersecurity community, we aim to fortify our platform against potential threats, ensuring the utmost protection for our users and their assets.
We invite security researchers, white hat hackers, and developers to join us in this endeavor, contributing their skills and expertise to the advancement of DeFi security. Together, we can build a future where DeFi thrives on a foundation of trust, transparency, and robust security measures.
We look forward to your valuable contributions and thank you for your efforts in making Minswap V2 a resounding success.
