Sögur's Smart Contract System - Bug Bounty

[ronsabo]

Prize Bounty

Up to 50,000$ (in SGR)

The Bounty size depends on the severity of the issue found. Please use this structured bounty table for general guidance. All final decisions are at the discretion of Sögur.

Severity	Payment in SGR	Example
Low	$1,000	An attack on the whitelisting mechanism that will allow already whitelisted address to buy SGR in an amount above its trading class
Medium	$5,000	An attack on the whitelisting mechanism that will allow any user to buy or sell SGR directly from the smart contract without pre-approval
High	$10,000	A denial of service attack that will make the smart contract system unusable for all users
Critical	$50,000	See Remark

Vulnerability will be considered Critical only if it allows an attacker to:

1. Steal users’ SGR tokens
2. Steal funds from the Sogur reserve (only for the part of the reserve held on-chain)
3. Mint SGR tokens to themselves without paying their value in ETH
4. Manipulate the price of the ETH/SGR at the smart contract level in a manner that creates an arbitrage opportunity to the attacker

Response Targets

Type of Response	SLA in business days
First Response	3 days
Time to Triage	5 days
Time to Bounty	30 days
Time to Resolution	depends on severity and complexity

We will endeavour to keep you informed about our progress throughout the process.

Information & Resources

The Sögur smart contract system is used to manage the issuance of the SGR token and it is crucial to the integrity of the token economics design. The smart contract system enforces that minting and burning of SGR are done solely based on Sögur’s monetary model and in line with Sögur’s AML policy where only approved users can interact with the smart contract to swap ETH for SGR and vice versa. The users' approval process is done off-chain by Sogur's team and it is not part of this bounty program. Instead, our focus is on the parts of the smart contract that are potentially callable by the public.
The above bounties are designed to incentivize security experts, white-hat hackers or anyone with related skills, to critically examine the Sogur smart contract for potential vulnerabilities that fall within a specific scope as defined below.

You are welcome to post any question you might have in our dedicated Telegram group

Scope

Smart contracts system

Code is available at https://github.com/SogurCurrency/smart-contracts

Prior smart contract audits: https://github.com/SogurCurrency/smart-contracts/tree/master/audit/

The smart contract system is deployed on both Ethereum's mainnet and the Ropsten testnet. Contract's address:

Name	Mainnet	Ropsten
ContractAddressLocatorProxy	0xaAbcd54Faf94925ADBE0df117C62961AcEcBACDb	0xBAf0479a887c3027fC73202eeb8a88aD3B845e0b
AuthorizationDataSource	0xACde447A4F3516b732c06B715044e528475AE1b4	0x9663Ed9c7690C4748C5418b549c55396035A82E5
SGNConversionManager	0x2b5D799bdC438E6Ae0591cFDAbBb3AbF45A7c3c8	0x33B540B0D425e2DEEBEE05d685C7eC310a25cdA9
ModelDataSource	0x4e341aDb6899cFbfB01d6e0e9B83167DB7e1354a	0xE3C82A328093Ad4753b6D3242c34D5832f713c69
PaymentManager	0x8fF8cd23928C3441bF07C34D996Dde7ab5Fc4a64	0xb3277D2d6999558B8b09D5D9ae72A1D930A1F2D9
PaymentQueue	0xb0Aaf76C7966872A8C4AaD71bc7B29129D1695c1	0xa4B892F184FA9f810ba93C4B297B5C9e3885c28f
ReconciliationAdjuster	0xA4071f2298285350E38E36ab2aeAceB8f678B68d	0x2f8067386106D593403f41eF8321C14A42C29F1A
IntervalIterator	0x58930D1c41452147C374155390D3363b24Dc7032	0x123399c30B0188C41225115ED94927f8D8a754F2
MintManager	0xeAaBf61Ab43a79a1F980e98bd2d39b5E27dcaCc6	0x4bA02bf81D9abE55BD9A33dbbaFeCf26935FAcC0
PriceBandCalculator	0x3bC0829Db9A40a1Ede9F4c40Cec789b78bf1Ee5B	0xB862FEA420eB73fd6B50Bd1e02F1186A6685434a
ModelCalculator	0x15231F21a6D599ef470593b0C42c278084CF293E	0x1b66B7B8D38C73210321330245a451Fd77Bb3202
RedButton	0x8Fc1b914A55DD5A2572Ed644EcfF11624F9Fe278	0xFDBC02aF89E6151e6e493eA5fCd10b2E6ed20EA4
ReserveManager	0xCD53A7cfF0686Eb6Ee1B7157ff184F8FC8a6ac4F	0x33C0c5B264D17b853DfF622f12D72B52f7434f2d
SgnToSgrExchangeInitiator	0xdb4a210915ddC08A08db45B28d64CE2bA01D6A3a	0xcFeD095fb2cF33d12F90C472970a0cA827040bc6
MonetaryModel	0xC9ba890cb2589C96F073acBD3985f36D8503786A	0x94A6661a786A634FCC713B298468bC88e38A574C
MonetaryModelState	0xa59F1F7Aa4DDA0E9A682ea325AE3F4F12e3d6A96	0x6e6F4F50297DBb6c9314dD6c640De7c415F7997A
SGRAuthorizationManager	0xC42123690348918f87f99F3236D5E0B3F4bac310	0xd1F9c26bc7E66896A9ED1d8631dBA962Cc4e754d
SGRToken	0xAEa8e1b6CB5c05D1dAc618551C76bcD578EA3524	0xEd8F60f02c333d3B0E6Cf0553C19df7E9A99226F
SGRTokenManager	0x0142220147cC66c18b1E919b0FEc6d78CF850064	0x3b5830156F2DF9A4A639523c057572208496cbB6
SGRTokenInfo	0xa47ca3261571F03959e8C361d451d9974CC1d217	0x60c9254A9b36dEBE4de51b1A4B865D042E26B9CD
SGNAuthorizationManager	0x34DA782b5BA7b0774a90f9639CF69FD2A52D1B9a	0xbA245c9F5BF8e387E37F95354cf566d98048dB0B
SGNToken	0x082E6d22225a6a26ED3CD35342E6722dB31F42e5	0xfC2Eda4E72Be49733490eb4d5031bF9D7191185E
SGNTokenManager	0xC9a96a55C0895fdb5d9154A33ceAB9dcD0DF3fc5	0xcc04CC32CaD421ed34Ad050eB85D08029036881B
MintingPointTimersManager	0x4cd2F77C388e8d266921ba1bef2E519e3118703F	0xB7BBffc1715F0602859D7B0F9a4E9FdBF956cb8f
TradingClasses	0x8eb7BC0928Cc0d111b8f8Fdd828620Dad646e01f	0x7597fd72039553C7cb6e13b3CBBB1b4c5EeFDd4E
WalletsTradingLimiterValueConverter	0x5C186FDcf94e25E82BffC4ce0B367D13AaB9C335	0x24639E051623d2820c7219F80641e16F4B0Ffe7b
BuyWalletsTradingDataSource	0x349fE288A98324167926b3Fa830aef5fc5AEaf7b	0x687AC615B2F62ba3AC61f8AA6e5Ec4816129891E
SellWalletsTradingDataSource	0x2bfE3f7A3206e605adF31e46BB2cbE6A2164d4b5	0x6E1E0b2eEae7Ce2363718CDD4A92aA4ADbe47f6A
WalletsTradingLimiterSGNTokenManager	0x4aCE1144e7BD311940E286b48E93c2933a1c53FF	0x3bf7bFb0Fa92FC0772F2ae10534f2018c024eD52
BuyWalletsTradingLimiterSGRTokenManager	0x6AaF94Bc4E4356c533C03c0E28Aa9703B69b0666	0xD1c6Da5582932054cf3951D49CEd6E970FAaCE97
SellWalletsTradingLimiterSGRTokenManager	0x00Fc1860152F32ADe05433a54318666a97D249d9	0x8851eE081986442435A00147A1a28890BE27E1dB
ETHConverter	0x899C22a6b4C538E37612332F276481C016963d3D	0xc972738049BcB5394D714ED041879201F0f8192F
TransactionLimiter	0x9c9C21c7716a21c731F59D72efC991320B6E5E12	0xa8BE51dB320A19350ac2bf5314e1C06858F15907
TransactionManager	0xf4DD8b5361C033135C80491E9D68bC487A49DD92	0x7253cbe2F8881eBab54ce6bD108272489f77a4d5
RateApprover	0x007FF3B4639bAF3AeD4056b11c5abb03B243835B	0xDC71a78C6EA817d59c2B0462B39b62B296A7d487
SGAToSGRInitializer	0xAf567caCE0f27708825adbDBD0d64Bbcf174D7E0	0xfc46C2184D05A602E30317afBF83eeC09381a174

Program Rules

• Email reports to security@sogur.com
• Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
• Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following issues are considered out of scope:

• Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)
• OS-related vulnerabilities
• Attacks requiring MITM or physical access to a user's device.
• Attacks related to Sogur’s control of whitelisting users that pass KYC/AML
• Previously known vulnerable libraries without a working Proof of Concept.
• Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Sögur and our users safe!

Our Channels:

Website I Twitter I Telegram I YouTube I Facebook I LinkedIn I GitHub I Medium

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 35700.0 SGR (50694.0 USD @ $1.42/SGR) attached to it.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Chat
  • $960,712.12 more funded OSS Work available on the Gitcoin Issue Explorer