Clipper Bug Bounty
Start Date: June 22, 2021
Bonus Period: June 22, 2021 - July 13, 2021 (23:59:59 UTC)
Max Bounty: USD 100,000
KYC Required
Program Overview
Clipper is a decentralized exchange (DEX) designed to have the lowest per-transaction costs for small-to-medium-sized trades. It is intended to be the best place for self-made traders to buy and sell the most popular cryptoassets. Here’s a quick overview of Clipper and its core design principles.
We’re excited to announce the launch of a community bug bounty program with Immunefi, the premier bug bounty platform for smart contracts and DeFi projects. This bug bounty program focuses on Clipper’s smart contracts and is mostly concerned with the loss of user funds.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to the privilege required in the likelihood of a successful exploit:
- Critical: USD 50,000 - USD 100,000
- High: USD 10,000
- Medium: USD 5,000
- Low: USD 1 000
During the bonus period, the reward for critical vulnerabilities discovered is increased to USD 100,000.
Assets in Scope
Source code for bug bounty here.
The smart contracts under the Mock folder are not considered as in-scope in this bug bounty program.
The smart contracts have been deployed to mainnet but the source code has not been matched (verified) with those deployments. Once the source has been verified through Etherscan on mainnet, they will be added to the assets in scope table. For reference, the mainnet deployments can be found at:
-
Exchange Contract: 0x2e9c6Dcdca22A5952A88C4b18EDB5B54C5155BC9
-
Pool Contract: 0xe82906b6B1B04f631D126c974Af57a3A7B6a99d9
-
Router Contract: 0xf0f455E8b8F4f96Ae5109493C5d3eA5e2c09de47
You can submit your bugs to Immunefi here.
Prioritized Smart Contract/Blockchain Vulnerabilities
We are especially interested in receiving and rewarding vulnerabilities of the following types:
- Re-entrancy
- Logic errors (including user authentication errors)
- Solidity/EVM details not considered (including unhandled exceptions)
- Trusting trust/dependency vulnerabilities (including composability vulnerabilities)
- Economic/financial attacks (including flash loan attacks)
- Congestion and scalability (including running out of gas & block stuffing)
- Susceptibility to block timestamp manipulation (beyond one hour - manipulations around 15 second block timing are not in scope)
- Missing access controls / unprotected internal or debugging interfaces
General Rules & Exclusions
Reports containing the following issues or vulnerabilities are not eligible for a reward at any severity level:
- Any issues that rely on running out of gas because of the variable-sized data structure for holding token information
- Any issues that rely on custom or non-typical token implementations (here, "typical" means "included in the current implementations of wBTC, USDC, USDT, and DAI").
- Any issues around following the 0x PLP API interface. Specifically, any issues around the potential loss of funds if procedures for swap and deposit are not followed (must transfer assets and then call the appropriate function atomically within the same transaction).
- Existing vested deposits may be locked again if they are not first unlocked before making a new deposit
- Issues related to the validation of function inputs if those functions are restricted to administrators only or if incorrect function inputs only affect the assets of the sender.
- Anything related to the miscomputation of the square root of 2.
- Any issues with Chainlink oracles (manipulation, staleness).
- Any issues that involve contract ownership not being set correctly.
- Any issues that involve an unrealistically large asset pool (more than twenty assets, more than $250M in assets at current prices).
- Any issues that involve changes of price, including front-running, within the bounds specified by the minimum buy amount in the 0x PLP API.
Payouts are handled by the Clipper team directly and are denominated in USD, with rewards paid out in USDC. In the event of a difference in rules and exclusions between our post and Immunefi, Immunefi's terms will prevail.
Program-Specific Exclusions
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses or accounts (deployer, ownership, governance)
- Incorrect or manipulated data provided by or to third-party oracles (Flash loan attacks that do not rely on oracle manipulation are IN SCOPE.)
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty
Ensuring Safe Seas for Free and Fair Trade
The Clipper team is working closely with the blockchain security community to ensure that the Clipper DEX, and the smart contracts it relies on, have not only been audited by multiple professional firms, but have also been thoroughly vetted by independent developers who have a vested interest in pressure-testing every line of code.
It takes a community effort to safeguard the financial markets of the future and provide a safe harbor for fair and free trades, and we appreciate your help in securing Clipper’s position as the go-to DEX for the best retail trading experience for the most commonly traded cryptocurrencies!
You can learn more about Clipper by visiting our website.