crowetic/protocol
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
protocol/docs/additional/bounties.rst
wonge97 3c414c12e6
fix malformed table (#718) 
table was missing one space :(
2023-04-27 13:19:52 -05:00

75 lines
15 KiB
ReStructuredText
Raw Blame History

###############################
Bounties
###############################
The bug bounties on this page apply only to the *0x smart contracts* on Ethereum mainnet, Binance Smart Chain, Polygon, Avalanche, Fantom, Celo, Optimism and future deployments in other EVM-compatible networks announced through our official communication channels.
Bug reports pertaining to 0x API and 0x web interfaces (e.g. Matcha, 0x.org), both in terms of UI/UX or servers/infrastructure, are not eligible. Only the first reporter of a given contract vulnerability will be rewarded, and findings already discovered as part of a formal audit are ineligible.
Overview
--------
0x has completed smart contract audits with Consensys Diligence, Trail of Bits and ABDK. We run a continuous bug bounty program for the V4 release of the 0x core contracts.
Scope
-----
The following contracts are in scope of the bug bounty. Please note that any bugs already reported are considered out of scope. See the `Audits <./audits.html>`_ page for 3rd party security reports.
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| **Release** | **Contracts** | **Commit Hash** |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| Exchange V4 | * Documentation at `https://docs.0xProtocol.org/en/latest/ <https://docs.0xProtocol.org/en/latest/>`__ | |
| | * `ZeroEx.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/ZeroEx.sol>`__ | |
| | * `ZeroExOptimized.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/ZeroExOptimized.sol>`__ | |
| | * `external/*.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/external>`__ | |
| | * `features/*.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/features>`__ | |
| | * `fixins/*.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/fixins>`__ | |
| | * `migrations/*.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/migrations>`__ | |
| | * `storage/*.sol <https://github.com/0xProject/protocol/tree/development/contracts/zero-ex/contracts/src/storage>`__ | |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| Exchange V3 | * `ERC20BridgeProxy.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/asset-proxy/contracts/src/ERC20BridgeProxy.sol>`_ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/asset-proxy/erc20-bridge-proxy.md>`__) | `fb8360edfd <https://github.com/0xProject/0x-monorepo/tree/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts>`__ |
| | * `Exchange.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/exchange/contracts/src/Exchange.sol>`__ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/v3/v3-specification.md>`__) | |
| | * `ZeroExGovernor.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/multisig/contracts/src/ZeroExGovernor.sol>`_ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/v3/zero-ex-governor.md>`__) | |
| | * `Staking.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/staking/contracts/src/Staking.sol>`_ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/staking/staking-specification.md>`__) | |
| | * `StakingProxy.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/staking/contracts/src/StakingProxy.sol>`_ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/staking/staking-specification.md>`__) | |
| | * `ZrxVault.sol <https://github.com/0xProject/0x-monorepo/blob/fb8360edfd4f42f2d2b127b95c156eb1b0daa02b/contracts/staking/contracts/src/ZrxVault.sol>`_ (`spec <https://github.com/0xProject/0x-protocol-specification/blob/master/staking/staking-specification.md>`__) | |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| Exchange V2.1 | * `src/2.0.0/protocol <https://github.com/0xProject/0x-monorepo/tree/ff70c5ecfe28eff14e1a372c5e493b8f5363e1d0/packages/contracts/src/2.0.0/protocol>`_ | `ff70c5ecfe <https://github.com/0xProject/0x-monorepo/tree/ff70c5ecfe28eff14e1a372c5e493b8f5363e1d0/packages/contracts/src/2.0.0>`_ |
| | * `src/2.0.0/utils <https://github.com/0xProject/0x-monorepo/tree/ff70c5ecfe28eff14e1a372c5e493b8f5363e1d0/packages/contracts/src/2.0.0/utils>`_ | |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| MultiAssetProxy | * `MultiAssetProxy.sol <https://github.com/0xProject/0x-monorepo/blob/c4d9ef9f83508154fe9db35796b6b86aeb0f2240/contracts/asset-proxy/contracts/src/MultiAssetProxy.sol>`_ | `c4d9ef9f83 <https://github.com/0xProject/0x-monorepo/tree/c4d9ef9f83508154fe9db35796b6b86aeb0f2240/contracts>`_ |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| ERC1155Proxy | * `ERC1155Proxy.sol <https://github.com/0xProject/0x-monorepo/blob/77484dc69eea1f4f1a8397590199f3f2489751d2/contracts/asset-proxy/contracts/src/ERC1155Proxy.sol>`_ | `77484dc69e <https://github.com/0xProject/0x-monorepo/tree/77484dc69eea1f4f1a8397590199f3f2489751d2/contracts>`_ |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| StaticCallProxy | * `StaticCallProxy.sol <https://github.com/0xProject/0x-monorepo/blob/54f4727adc6da95f312e3721f44857110555d24c/contracts/asset-proxy/contracts/src/StaticCallProxy.sol>`_ | `54f4727adc <https://github.com/0xProject/0x-monorepo/tree/54f4727adc6da95f312e3721f44857110555d24c/contracts>`_ |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
| ERC20BridgeProxy | * `ERC20BridgeProxy.sol <https://github.com/0xProject/0x-monorepo/blob/281658ba349a2c5088b40b503998bea5020284a6/contracts/asset-proxy/contracts/src/ERC20BridgeProxy.sol>`__ | `281658ba34 <https://github.com/0xProject/0x-monorepo/tree/281658ba349a2c5088b40b503998bea5020284a6/contracts>`_ |
+------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------+
Bounties
--------
The bounty program will pay out rewards according to the severity of a vulnerability. The severity of reported vulnerabilities will be graded according to the `CVSS <https://www.first.org/cvss/>`__ (Common Vulnerability Scoring Standard).
The final reward amount is at the sole discretion of 0x Labs and will be paid in the specified sum in either USD or ETH.
+----------------------------+---------------------+
| **Exploit Score** | **Reward** |
+----------------------------+---------------------+
| Critical (CVSS 9.0 - 10.0) | up to $1,000,000 |
+----------------------------+---------------------+
| High (CVSS 7.0 - 8.9) | up to $350,000 |
+----------------------------+---------------------+
| Medium (CVSS 4.0 - 6.9) | up to $35,000 |
+----------------------------+---------------------+
| Low (CVSS 0.0 - 3.9) | up to $5,000 |
+----------------------------+---------------------+
Disclosures
-----------
Please e-mail all submissions to security@0x.org with the subject "BUG BOUNTY". Your submission
should include any steps required to reproduce or exploit the vulnerability. Please allow time for
the vulnerability to be fixed before discussing any findings publicly. After receiving a submission,
we will contact you with expected timelines for a fix to be implemented.
Reference in New Issue View Git Blame Copy Permalink