SogurCurrency / Gitcoin-hackathon

1 stars 0 forks source link

Sögur's Smart Contract System - Bug Bounty #2

Open ronsabo opened 4 years ago

ronsabo commented 4 years ago

Prize Bounty

Up to 50,000$ (in SGR)

The Bounty size depends on the severity of the issue found. Please use this structured bounty table for general guidance. All final decisions are at the discretion of Sögur.

Severity Payment in SGR Example
Low $1,000 An attack on the whitelisting mechanism that will allow already whitelisted address to buy SGR in an amount above its trading class
Medium $5,000 An attack on the whitelisting mechanism that will allow any user to buy or sell SGR directly from the smart contract without pre-approval
High $10,000 A denial of service attack that will make the smart contract system unusable for all users
Critical $50,000 See Remark

Vulnerability will be considered Critical only if it allows an attacker to:

  1. Steal users’ SGR tokens
  2. Steal funds from the Sogur reserve (only for the part of the reserve held on-chain)
  3. Mint SGR tokens to themselves without paying their value in ETH
  4. Manipulate the price of the ETH/SGR at the smart contract level in a manner that creates an arbitrage opportunity to the attacker

Response Targets

Type of Response SLA in business days
First Response 3 days
Time to Triage 5 days
Time to Bounty 30 days
Time to Resolution depends on severity and complexity

We will endeavour to keep you informed about our progress throughout the process.

Information & Resources

The Sögur smart contract system is used to manage the issuance of the SGR token and it is crucial to the integrity of the token economics design. The smart contract system enforces that minting and burning of SGR are done solely based on Sögur’s monetary model and in line with Sögur’s AML policy where only approved users can interact with the smart contract to swap ETH for SGR and vice versa. The users' approval process is done off-chain by Sogur's team and it is not part of this bounty program. Instead, our focus is on the parts of the smart contract that are potentially callable by the public.
The above bounties are designed to incentivize security experts, white-hat hackers or anyone with related skills, to critically examine the Sogur smart contract for potential vulnerabilities that fall within a specific scope as defined below.

You are welcome to post any question you might have in our dedicated Telegram group

Scope

Smart contracts system

Code is available at https://github.com/SogurCurrency/smart-contracts

Prior smart contract audits: https://github.com/SogurCurrency/smart-contracts/tree/master/audit/

The smart contract system is deployed on both Ethereum's mainnet and the Ropsten testnet. Contract's address:

Name Mainnet Ropsten
ContractAddressLocatorProxy 0xaAbcd54Faf94925ADBE0df117C62961AcEcBACDb 0xBAf0479a887c3027fC73202eeb8a88aD3B845e0b
AuthorizationDataSource 0xACde447A4F3516b732c06B715044e528475AE1b4 0x9663Ed9c7690C4748C5418b549c55396035A82E5
SGNConversionManager 0x2b5D799bdC438E6Ae0591cFDAbBb3AbF45A7c3c8 0x33B540B0D425e2DEEBEE05d685C7eC310a25cdA9
ModelDataSource 0x4e341aDb6899cFbfB01d6e0e9B83167DB7e1354a 0xE3C82A328093Ad4753b6D3242c34D5832f713c69
PaymentManager 0x8fF8cd23928C3441bF07C34D996Dde7ab5Fc4a64 0xb3277D2d6999558B8b09D5D9ae72A1D930A1F2D9
PaymentQueue 0xb0Aaf76C7966872A8C4AaD71bc7B29129D1695c1 0xa4B892F184FA9f810ba93C4B297B5C9e3885c28f
ReconciliationAdjuster 0xA4071f2298285350E38E36ab2aeAceB8f678B68d 0x2f8067386106D593403f41eF8321C14A42C29F1A
IntervalIterator 0x58930D1c41452147C374155390D3363b24Dc7032 0x123399c30B0188C41225115ED94927f8D8a754F2
MintManager 0xeAaBf61Ab43a79a1F980e98bd2d39b5E27dcaCc6 0x4bA02bf81D9abE55BD9A33dbbaFeCf26935FAcC0
PriceBandCalculator 0x3bC0829Db9A40a1Ede9F4c40Cec789b78bf1Ee5B 0xB862FEA420eB73fd6B50Bd1e02F1186A6685434a
ModelCalculator 0x15231F21a6D599ef470593b0C42c278084CF293E 0x1b66B7B8D38C73210321330245a451Fd77Bb3202
RedButton 0x8Fc1b914A55DD5A2572Ed644EcfF11624F9Fe278 0xFDBC02aF89E6151e6e493eA5fCd10b2E6ed20EA4
ReserveManager 0xCD53A7cfF0686Eb6Ee1B7157ff184F8FC8a6ac4F 0x33C0c5B264D17b853DfF622f12D72B52f7434f2d
SgnToSgrExchangeInitiator 0xdb4a210915ddC08A08db45B28d64CE2bA01D6A3a 0xcFeD095fb2cF33d12F90C472970a0cA827040bc6
MonetaryModel 0xC9ba890cb2589C96F073acBD3985f36D8503786A 0x94A6661a786A634FCC713B298468bC88e38A574C
MonetaryModelState 0xa59F1F7Aa4DDA0E9A682ea325AE3F4F12e3d6A96 0x6e6F4F50297DBb6c9314dD6c640De7c415F7997A
SGRAuthorizationManager 0xC42123690348918f87f99F3236D5E0B3F4bac310 0xd1F9c26bc7E66896A9ED1d8631dBA962Cc4e754d
SGRToken 0xAEa8e1b6CB5c05D1dAc618551C76bcD578EA3524 0xEd8F60f02c333d3B0E6Cf0553C19df7E9A99226F
SGRTokenManager 0x0142220147cC66c18b1E919b0FEc6d78CF850064 0x3b5830156F2DF9A4A639523c057572208496cbB6
SGRTokenInfo 0xa47ca3261571F03959e8C361d451d9974CC1d217 0x60c9254A9b36dEBE4de51b1A4B865D042E26B9CD
SGNAuthorizationManager 0x34DA782b5BA7b0774a90f9639CF69FD2A52D1B9a 0xbA245c9F5BF8e387E37F95354cf566d98048dB0B
SGNToken 0x082E6d22225a6a26ED3CD35342E6722dB31F42e5 0xfC2Eda4E72Be49733490eb4d5031bF9D7191185E
SGNTokenManager 0xC9a96a55C0895fdb5d9154A33ceAB9dcD0DF3fc5 0xcc04CC32CaD421ed34Ad050eB85D08029036881B
MintingPointTimersManager 0x4cd2F77C388e8d266921ba1bef2E519e3118703F 0xB7BBffc1715F0602859D7B0F9a4E9FdBF956cb8f
TradingClasses 0x8eb7BC0928Cc0d111b8f8Fdd828620Dad646e01f 0x7597fd72039553C7cb6e13b3CBBB1b4c5EeFDd4E
WalletsTradingLimiterValueConverter 0x5C186FDcf94e25E82BffC4ce0B367D13AaB9C335 0x24639E051623d2820c7219F80641e16F4B0Ffe7b
BuyWalletsTradingDataSource 0x349fE288A98324167926b3Fa830aef5fc5AEaf7b 0x687AC615B2F62ba3AC61f8AA6e5Ec4816129891E
SellWalletsTradingDataSource 0x2bfE3f7A3206e605adF31e46BB2cbE6A2164d4b5 0x6E1E0b2eEae7Ce2363718CDD4A92aA4ADbe47f6A
WalletsTradingLimiterSGNTokenManager 0x4aCE1144e7BD311940E286b48E93c2933a1c53FF 0x3bf7bFb0Fa92FC0772F2ae10534f2018c024eD52
BuyWalletsTradingLimiterSGRTokenManager 0x6AaF94Bc4E4356c533C03c0E28Aa9703B69b0666 0xD1c6Da5582932054cf3951D49CEd6E970FAaCE97
SellWalletsTradingLimiterSGRTokenManager 0x00Fc1860152F32ADe05433a54318666a97D249d9 0x8851eE081986442435A00147A1a28890BE27E1dB
ETHConverter 0x899C22a6b4C538E37612332F276481C016963d3D 0xc972738049BcB5394D714ED041879201F0f8192F
TransactionLimiter 0x9c9C21c7716a21c731F59D72efC991320B6E5E12 0xa8BE51dB320A19350ac2bf5314e1C06858F15907
TransactionManager 0xf4DD8b5361C033135C80491E9D68bC487A49DD92 0x7253cbe2F8881eBab54ce6bD108272489f77a4d5
RateApprover 0x007FF3B4639bAF3AeD4056b11c5abb03B243835B 0xDC71a78C6EA817d59c2B0462B39b62B296A7d487
SGAToSGRInitializer 0xAf567caCE0f27708825adbDBD0d64Bbcf174D7E0 0xfc46C2184D05A602E30317afBF83eeC09381a174

Program Rules

Out of scope vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

The following issues are considered out of scope:

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Thank you for helping keep Sögur and our users safe!

Our Channels:

Website I Twitter I Telegram I YouTube I Facebook I LinkedIn I GitHub I Medium

gitcoinbot commented 4 years ago

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 35700.0 SGR (50694.0 USD @ $1.42/SGR) attached to it.