[DD] Smart Contracts

IN-SCOPE ISSUES (SMART CONTRACTS)

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality and are considered as "CRITICAL" severity issues:

Severity

Example Vulnerabilities

🔴 Critical

Direct theft of funds or NFTs
Permanent freezing of funds or NFTs

OUT OF SCOPE ISSUES (SMART CONTRACTS)

Submissions falling under any of the categories below will be rejected as not eligible for a bounty

Severity

Example Vulnerabilities

🟠 High

Temporary freezing of funds or NFTs
Theft of unclaimed funds (e.g., yield, royalties)
Permanent freezing of unclaimed funds
Oracle Manipulation (High): Influencing on-chain price feeds or data sources.

🟡 Medium

Theft of gas (unbounded loops, expensive operations exploitable by attackers)

Gas limit / Out-of-Gas vulnerabilities - Poor gas handling leading to transaction failure, loss of funds, or halted functionality

Denial of Service (DoS) - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability

No-profit attacks (Griefing) - Attacks that damage the protocol or users without financial gain for the attacker

🟢 Low

Failure to deliver promised returns (e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic)
Uninitialized Storage Variables: Can lead to privilege escalation but often low-risk.

🔵 Info

Theoretical vulnerabilities: Issues that simply point out missing checks or lack of adherence to best practices (e.g., CEI pattern) without a concrete exploit scenario are out of scope.

Privileged roles acting maliciously: Issues that assume admin, owner, or other privileged roles will behave incorrectly or maliciously are out of scope, unless a realistic reason or scenario is provided to justify this behavior.
Oracle manipulation or failures: Submissions involving oracles (e.g., missing timestamp checks) are not accepted unless the report demonstrates a clear and practical attack scenario showing how oracle misbehavior leads to an exploit.
Weird Tokens: unless the protocol clearly specifies that it accepts weird tokens (low decimals, erc777) all issues regarding them are out of scope

PreviousVulnerability classification Next[DD] Bounty Distribution Rules

Last updated 6 days ago

OUT OF SCOPE ISSUES (SMART CONTRACTS)

Submissions falling under any of the categories below will be rejected as not eligible for a bounty

Severity

Example Vulnerabilities

🟠 High

Temporary freezing of funds or NFTs
Theft of unclaimed funds (e.g., yield, royalties)
Permanent freezing of unclaimed funds
Oracle Manipulation (High): Influencing on-chain price feeds or data sources.

🟡 Medium

Theft of gas (unbounded loops, expensive operations exploitable by attackers)

Gas limit / Out-of-Gas vulnerabilities - Poor gas handling leading to transaction failure, loss of funds, or halted functionality

Denial of Service (DoS) - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability

No-profit attacks (Griefing) - Attacks that damage the protocol or users without financial gain for the attacker

🟢 Low

Failure to deliver promised returns (e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic)
Uninitialized Storage Variables: Can lead to privilege escalation but often low-risk.

🔵 Info

Theoretical vulnerabilities: Issues that simply point out missing checks or lack of adherence to best practices (e.g., CEI pattern) without a concrete exploit scenario are out of scope.

Privileged roles acting maliciously: Issues that assume admin, owner, or other privileged roles will behave incorrectly or maliciously are out of scope, unless a realistic reason or scenario is provided to justify this behavior.
Oracle manipulation or failures: Submissions involving oracles (e.g., missing timestamp checks) are not accepted unless the report demonstrates a clear and practical attack scenario showing how oracle misbehavior leads to an exploit.
Weird Tokens: unless the protocol clearly specifies that it accepts weird tokens (low decimals, erc777) all issues regarding them are out of scope