[DD] Smart Contracts

IN-SCOPE ISSUES (SMART CONTRACTS)

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality and are considered as "CRITICAL" severity issues:

Severity

Example Vulnerabilities

🔴 Critical

  • Direct theft of funds or NFTs

  • Permanent freezing of funds or NFTs

OUT OF SCOPE ISSUES (SMART CONTRACTS)

Submissions falling under any of the categories below will be rejected as not eligible for a bounty

Severity

Example Vulnerabilities

🟠 High

  • Temporary freezing of funds or NFTs

  • Theft of unclaimed funds (e.g., yield, royalties)

  • Permanent freezing of unclaimed funds

  • Oracle Manipulation (High): Influencing on-chain price feeds or data sources.

🟡 Medium

  • Theft of gas (unbounded loops, expensive operations exploitable by attackers)

  • Gas limit / Out-of-Gas vulnerabilities - Poor gas handling leading to transaction failure, loss of funds, or halted functionality

  • Denial of Service (DoS) - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability

  • No-profit attacks (Griefing) - Attacks that damage the protocol or users without financial gain for the attacker

🟢 Low

  • Failure to deliver promised returns (e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic)

  • Uninitialized Storage Variables: Can lead to privilege escalation but often low-risk.

🔵 Info

  • Theoretical vulnerabilities: Issues that simply point out missing checks or lack of adherence to best practices (e.g., CEI pattern) without a concrete exploit scenario are out of scope.

  • Privileged roles acting maliciously: Issues that assume admin, owner, or other privileged roles will behave incorrectly or maliciously are out of scope, unless a realistic reason or scenario is provided to justify this behavior.

  • Oracle manipulation or failures: Submissions involving oracles (e.g., missing timestamp checks) are not accepted unless the report demonstrates a clear and practical attack scenario showing how oracle misbehavior leads to an exploit.

  • Weird Tokens: unless the protocol clearly specifies that it accepts weird tokens (low decimals, erc777) all issues regarding them are out of scope

Last updated