Help us find bugs on YOLO’s code and win $KNC
Overview
YOLO is about to go live on mainnet next month and we are starting a bug bounty program for the exchange smart contracts. In short, find bugs in YOLO smart contracts and win rewards.
Show me the code
The smart contracts are available here in bug_bounty branch. The smart contracts specification and security assumption is also available here.
Major bugs find will be rewarded up to total of $10,000 (in KNC). Higher rewards will be considered in case of very severe vulnerabilities.
Rules
Most of the rules on https://bounty.ethereum.org apply in our bounty program:
- First come, first serve
- Issues that have already been submitted by another user or are already known to the YOLO team are not eligible for bounty rewards
- Public disclosure of a vulnerability makes it ineligible for a bounty
- Paid auditor(s) of this code is(are) not eligible for rewards
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the YOLO team.
Scope
The scope of the smart contracts bug bounty is limited to files in the bug_bounty/contracts directory excluding Mock sub-directory. Moreover, the current scope of the bug bounty covers only bugs that either:
- Put user funds at risk (excluding cpu and bandwidth stake); or
- Give unauthorized accounts (i.e., accounts that are neither admin nor account owner) the option to steal reserve funds.
We formally define lost of user funds as an exchange operation in which user received effective worse conversion rate than the one he or she specified. Rounding errors of only few token units are neglected for the purpose of this bug bounty.
Severity
For Bugs Related To User funds
- Critical — Bugs that can cause user to loose funds which cannot be recovered by YOLO Network and/or YOLO reserve are of critical severity.
- High — Bugs that cause user to lose funds under the assumption that reserve manager could be dishonest and even malicious are of high severity.
- Medium — Bugs that cause user to lose funds in an EOS to token (or vice versa) conversion in network contract, even under the assumption that network admin is malicious, are of medium severity. These do not include changing the network code, or using a non trusted token code.
- Low — Bugs that may cause lose of user funds due to any existing reputabletoken code are of low severity.
For Bugs Related to Reserve
- Critical — Bugs that allow stealing unbounded amount of funds from reserve within a single transaction are of critical severity.
- High — Bugs that allow stealing funds from reserve with an unauthorized account are of high severity.
- Low — Bugs that allow network admin to steal reserve funds are currently of low severity.
Examples for bugs which are still not covered in the program are denial of service bugs which prevent YOLO Network or YOLO Reserve from providing an exchange service.
Compensation
The value of rewards will vary depending on Severity. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
- Note: Up to $25 in KNC
- Low: Up to $300 in KNC
- Medium: Up to $1,000 in KNC
- High: Up to $3,000 in KNC
- Critical: Up to $10,000 in KNC.
The quality of submission will also affect the compensation. A high quality submission would consist of:
- An explanation of how the bug can be reproduced
- A failing test case
- A fix that makes the test case pass.
High quality submissions may be awarded amounts higher than the amounts specified above.
We request that you please give us reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.
Contact
Please direct your submissions to hello@yoloswap.com. We also welcome anonymous submissions.
