dForce Completes Security Audits and Launches Bug Bounty!
As an integrated and interoperable DeFi protocol platform, dForce has recently launched USDx, a synthetic indexed USD stablecoin protocol as the first and cornerstone protocol deployed on the Ethereum.
In an attempt to ensure the highest level of security of our smart contracts, dForce Foundation has engaged PeckShield and SlowMist, two pioneering security auditing firms specializing in smart contract security, to audit and do security reviews of USDx protocol. We have worked closely with PeckShield and SlowMist since the start of the audits to ensure proper implementation of not only the fixes to the code, but also to improve our coding and review practices.
Independent Security Audits
PeckShield and SlowMist have conducted independent security audits on the USDx protocol to ensure the highest security standards. We followed the recommendations addressed in their reports and quickly made all fixes to the USDx protocol in accordance.
PeckShield is a leading blockchain security company which aims to elevate the security, privacy, and usability of the entire blockchain ecosystem by offering top-notch, industry-leading services and products. PeckShield publishes trending reports and provides services and products to identify hidden vulnerabilities (e.g., in smart contracts and consensus protocols), expose zero-day exploits, defend against emerging threats, perform security auditing and provide consulting services. Peckshield independently verified a DSChief bug in May 2019 for MakerDAO. The full report is available for review in our GitHub repositories: https://github.com/dforcenetwork/docs/blob/master/audit_report/PeckShield_audit_report_en.pdf
SlowMist is a leading security company focusing on the Blockchain space with core technological capabilities of security audits, defense deployment and underground threat intelligence tracking. SlowMist has delivered security audits and defense deployments for a number of world’s leading exchanges, wallets, public chains and smart contracts. The full report is available for review in our GitHub repositories: https://github.com/dforcenetwork/docs/blob/master/audit_report/SlowMist_audit_report_en.pdf
Bug Bounty Program
Completing an audit is just one part of our focus on security, which is a crucial step in building the infrastructure for a successful decentralized finance ecosystem. Additionally, we call on our community and all bug bounty hunters to start digging into our code and help identify bugs in the protocols.
We will reward members who help us find and address significant bugs, in accordance with the terms of the Bug Bounty Program set out below.
Methodology
We base our rewards on a score calculated according to the OWASP Risk Rating Methodology, factoring in both impact and likelihood. Please try to include as much information in your report as you can, including a description of the bug, its potential impact, and steps for reproducing it or proof of concept.
Rewards
The maximum reward for eligible bugs is the equivalent of $50,000 in USDx. Please note it is entirely at our discretion to decide how an identified bug should be classified for the reward.
- Critical — $ 50,000
- Moderate — $10,000
- Low — $ 2,000
Eligibility
Exploits within the following groups are currently eligible for rewards in this bug bounty program.
- Function-level (exploitable through a single entry-point)
- Contract-level (combining multiple entry-points)
- System-level (combining multiple contracts)
Location of Code
Code of USDx portal is located in our GitHub repositories: https://github.com/dforcenetwork/USDx-Protocol
How to Report a Bug?
Please send your report including your name, description of the bug, potential impact, steps for reproducing it or proof of concept, and other details to tech@dforce.network. Once the issue has been submitted, our team will review the information and contact you with more details on the next steps. You will then be required to pull a request on GitHub.
Bounty Pay-Out
You will be asked to send proof of identity and an ERC-20 address to be rewarded in USDx.
This program is planned to be a long-running one that will continue indefinitely after the launch of USDx protocol. To qualify for a reward, the investigation method and vulnerability report must adhere to the guidelines in this document.
Conclusion
Highest standard of smart contract security is core to the long-term success of dForce. The dForce Foundation is working closely with a selected group of business partners to guarantee the safety of the system. We also appreciate the cooperation from bug hunters to help identify bugs so that we can address it as soon as possible.
If you have a query or complaint about the Parity Bug Bounty Hunter Program, please contact us through tech@dforce.network.
Follow more about dForce
