Melon Bug Bounty Program

SCAN THE MELON PROTOCOL v1.0 FOR SECURITIES VULNERABILITIES REWARD POOL: CHF 250,000

Melonport is pleased to announce it has granted CHF 250,000 to the Melon Council for bug bounty purposes. This reward pool has been converted into DAI (247,989 DAI). The Melon Council will be able to use those funds to pay out bounties to people sharing security findings on the Melon protocol.

BUG BOUNTY

In order to test the security of our smart contracts and thereby to detect possible vulnerabilities in our code, we invite and challenge everyone out there to find attack vectors/security vulnerabilities in the Melon protocol.

A total reward pool of 247,989 DAI is available to pay out bounties. Bounties will be paid for all security vulnerabilities found and disclosed to the Melon Council, provided that:

• You send a report around the full method in writing to security@melonport.com (and later on to the Melon Council security email)
• The vulnerability was not reported before.
• The issue reported is not an acknowledged aspect of the system.

The bug bounty is subject to the following terms and conditions available on Github.

What does a good vulnerability submission look like?

A good submission should typically include:

1. a good description of the bug
2. a description of the attack scenario
3. the impact of this scenario
4. any other necessary components
5. any other details that might be helpful
6. a potential resolution or fix. Giving examples is always helpful!

What’s in there for me?

The total reward pool available is CHF 250,000. Rewards will be paid out in DAI. The value of rewards paid out will vary depending on severity and other factors. The severity is calculated according to the OWASP (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology) risk rating model based on Impact and Likelihood:

Reward sizes are guided by the rules above, but are, in the end, determined at the sole discretion of the Melon Council.

• Critical: up to DAI 10,000
• High: up to DAI 5,000
• Low: up to DAI 500

A critical issue would include vulnerabilities resulting in the possibility of irreversibly locking up the assets, irreversibly destroying the fund or stealing the assets of the fund.

Ok, I’m in. Where do I start?

Repository (master branch): https://github.com/melonproject/protocol

Documentation available at: https://www.docs.melonport.com/

You can check out this M-1 talk from Travis Jacobs, walking you through the smart contract architecture: https://www.youtube.com/watch?v=RSPusTmlWC0&index=5&t=0s&list=PLzdnEGRLbpgZrywI9gc9ZLrZRo8FKoNir

Below are the smart contracts in scope of the bug bounty. Any valid and previously unknown security vulnerability found and disclosed to the Melon Council will be rewarded.

Melon Engine

• AmguConsumer.sol
• Engine.sol

Prices

• PriceSource.i.sol
• KyberPricefeed.sol

Version

• Version.sol
• Registry.sol

Fund

• Factory.sol
• FundFactory.sol

Fund components

• Hub.sol
• Spoke.sol
• Accounting.sol
• FeeManager.sol
• ManagementFee.sol
• PerformanceFee.sol
• Participation.sol
• Shares.sol
• Trading.sol
• Vault.sol
• PolicyManager.sol
• Policy.sol

Compliance (participation policy)

• UserWhitelist.sol

Risk management policies

• AssetBlacklist.sol
• AssetWhitelist.sol
• MaxConcentration.sol
• MaxPositions.sol
• PriceTolerance.sol

Exchange adapters

• ExchangeAdapter.sol
• EngineAdapter.sol
• EthfinexAdapter.sol
• KyberAdapter.sol
• MatchingMarketAdapter.sol
• ZeroExV2Adapter.sol

Have fun, and reach out if you find anything!