DutchX Smart Contracts 2.0 Bug Bounty

** Important: This bounty is no longer handled by Gnosis. dxDAo is the entity responsible for all things related to this bounty. For more information please visit: https://blog.gnosis.pm/gnosis-is-stepping-back-from-the-dxdao-5d368bc269a3**

We have recently deployed a revised set of smart contracts governing the DutchX to the Ethereum Mainnet. Both the 1.0 smart contracts as well as the changes in version 2.0 have been audited by Solidified (links to the audit reports below). Access a comprehensive list of the changes here.

In the original bug bounty that ran on DutchX Smart Contracts 1.0, no bugs were found. We will continue running the same public bug bounty on the Mainnet DutchX 2.0 smart contracts (links below).

Program Scope

The scope of our bug bounty program includes all contracts related to the DutchX.

Any bugs (they do not need to necessarily lead to a redeploy) will be considered for bounty. Any attack identified that could steal funds, tokens, or Magnolia would be considered a high threat. If there was a way for someone to reduce the liquidity contribution without holding the appropriate amount of Magnolia, the bug would be considered a medium threat. A reported bug that on its own leads to a redeploy of the code will always be considered a high threat.

In scope:

• DutchX Master
• DutchX Proxy
• PriceOracleInterface
• TokenMGN Master
• Token MGN Proxy
• PriceOracle (newly added)

***

• Deployed smart contract addresses
• Audit report of Smart Contracts 1.0
• Audit report of Smart Contracts 2.0
• Audit report of PriceOracle Contract

Examples of what’s in scope:

• The ability to generate more or less Magnolia than intended
• The ability to steal participants’ funds or Magnolia
• The ability to reduce liquidity contribution without holding the appropriate amount of Magnolia
• The ability to settle more than half of liquidity contribution in OWL
• The inability to retrieve tokens from the protocol
• The ability to change auctioneer parameters without being an auctioneer
• Bugs related to the integration of the MakerDAO price feed

Out of scope:

• Bugs related to Internet Explorer
• Any bots that might run on top of smart contracts
• Most user experience issues related to any graphical user interface/ front-end
• Manipulation of the price feed
• More efficient gas solutions
• Any points listed in the list of already known weaknesses
• Any points listed in the audit reports linked above

Compensation

Rewards will be based on the below listed scores, but are ultimately determined at the sole discretion of the Gnosis bug bounty panel.

High: up to $20,000

Medium: up to $5,000

Low: up to $1,000

All bounties will be paid in ETH.

Did you know?

The dxDAO, a next-generation DAO, will govern the DutchX, the first truly decentralized trading protocol. If you’re bug hunting, definitely also check out this post “Test dxDAO Bug Bounties Live”!

Not hunting but want to participate? Stake for your vote here.

***

Reporting

This blog post contains all the relevant information on the scope, timeline, and compensation of the program.

Most of the Ethereum Foundation bug bounty program rules also apply to the Gnosis bug bounty program:

• Issues that have already been submitted by another user or that are known to the Gnosis team are not eligible for bounty rewards.
• Public disclosure of a vulnerability makes it ineligible for a bounty.
• The Gnosis core development team, employees, and all other people paid by Gnosis, directly or indirectly (including the involved Solidified auditors), are not eligible for rewards.
• The Gnosis bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Gnosis bug bounty panel.

Please note that a submission’s quality will factor into the level of compensation. A high-quality submission includes an explanation of how the bug can be reproduced, a failing test case, and a fix that makes the test case successful. High-quality submissions may be awarded amounts higher than the figures specified above.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to us, we will not take legal action against you in response to your report.

We ask that:

• You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
• You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You do not violate any laws or regulations.

Reporting Process

Public disclosure of the bug or indication of an intention to exploit it on the Mainnet will make the report ineligible for a bounty. Please refer to the Ethereum bug bounty program rules if in doubt about any aspect of the bounty.

Please report bug bounty submissions to bounty@gnosis.pm.

Don’t forget to include your ETH address so you can be rewarded (if more than one address is provided, only one will be used at the discretion of the Gnosis bug bounty panel).

Anonymous submissions are welcome.

Any questions? Reach us via email or Gitter.