# \[DD] Smart Contracts

## IN-SCOPE ISSUES (SMART CONTRACTS)

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality and are considered as "CRITICAL" severity issues:

| **Severity**    | **Example Vulnerabilities**                                                                                                   |
| --------------- | ----------------------------------------------------------------------------------------------------------------------------- |
| 🔴 **Critical** | <ul><li><strong>Direct theft of funds or NFTs</strong></li><li><strong>Permanent freezing of funds or NFTs</strong></li></ul> |

## OUT OF SCOPE ISSUES (SMART CONTRACTS)

Submissions falling under any of the categories below will be rejected as not eligible for a bounty

{% hint style="warning" %}
In DualDefense, only critical reports are in scope, this means that all other reports will be marked as:

* Severity: None
* State: Out of scope

You will not lose reputation points in this case.
{% endhint %}

| **Severity**  | **Example Vulnerabilities**                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| 🟠 **High**   | <ul><li><strong>Temporary freezing of funds or NFTs</strong></li><li><strong>Theft of unclaimed funds</strong> (e.g., yield, royalties)</li><li><strong>Permanent freezing of unclaimed funds</strong></li><li><strong>Oracle Manipulation</strong> (High): Influencing on-chain price feeds or data sources.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| 🟡 **Medium** | <ul><li><strong>Theft of gas</strong> (unbounded loops, expensive operations exploitable by attackers) </li><li><strong>Gas limit / Out-of-Gas vulnerabilities</strong><br>    - Poor gas handling leading to transaction failure, loss of funds, or halted functionality</li><li><strong>Denial of Service (DoS)</strong><br>    - Gas exhaustion, block stuffing, or malicious state manipulation that disrupts contract availability</li><li><strong>No-profit attacks (Griefing)</strong><br>    - Attacks that damage the protocol or users without financial gain for the attacker</li></ul>                                                                                                                                                                                                                                                                                                                                               |
| 🟢 **Low**    | <ul><li><strong>Failure to deliver promised returns</strong><br>(e.g., staking pool advertises fixed APY but underperforms due to bugs or flawed logic)</li><li><strong>Uninitialized Storage Variables</strong>: Can lead to privilege escalation but often low-risk.</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| 🔵 **Info**   | <p></p><ul><li><strong>Theoretical vulnerabilities:</strong> Issues that simply point out missing checks or lack of adherence to best practices (e.g., CEI pattern) without a concrete exploit scenario are out of scope.</li><li><strong>Privileged roles acting maliciously:</strong> Issues that assume admin, owner, or other privileged roles will behave incorrectly or maliciously are out of scope, unless a realistic reason or scenario is provided to justify this behavior.</li><li><strong>Oracle manipulation or failures:</strong> Submissions involving oracles (e.g., missing timestamp checks) are not accepted unless the report demonstrates a clear and practical attack scenario showing how oracle misbehavior leads to an exploit.</li><li><strong>Weird Tokens:</strong> unless the protocol clearly specifies that it accepts weird tokens (low decimals, erc777) all issues regarding them are out of scope</li></ul> |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.hackenproof.com/dualdefense-audit/vulnerability-classification/dd-smart-contracts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.