Bluefin Perp Audit Contest: Program Info

Decentralized perpetuals with blazing-fast settlement, backed by @Polychain, BH Digital, SIG, and Tower Research.

In scope

Target	Type	Severity	Reward
https://github.com/hackenproof-public/bluefin-dex-contracts-v3 Copy Copied Out of Scope: Anything outside the sources folder test_coin.move file in the sources folder deleverage() function inside exchange.move Please contact our support team in Discord to get access to scope.	Smart Contract	Critical	Bounty

Target

https://github.com/hackenproof-public/bluefin-dex-contracts-v3

Copied

Out of Scope:

Anything outside the sources folder
test_coin.move file in the sources folder
deleverage() function inside exchange.move

Please contact our support team in Discord to get access to scope.

TypeSmart Contract

Severity

Critical

RewardBounty

Focus Area

IN-SCOPE VULNERABILITIES

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Any governance voting result manipulation
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Insolvency
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds
Smart contract unable to operate due to lack of funds
Block stuffing for profit
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Theft of gas
Unbounded gas consumption
Smart contract fails to deliver promised returns, but doesn’t lose value
Functional correctness of implementation even if it's not directly impacting user funds
Best practices, architectural flaws and other types of issues are included at discretion of Bluefin's team.

OUT OF SCOPE

Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Sybil attacks
Centralization risks
Bluefin doesn't support multi collateral assets yet and all issues around that are out of scope
The sequencer is considered a trusted party and all issues regarding it acting maliciously or incorrectly are out of scope
Auto deleveraging is out of scope
USDC/USDT are considered to be always pegged to 1$
validate_tx_replay function is vulnerable to transaction replay for a KMS wallet where for the same data payload it can have two different unique signatures

Program Rules

The following activities are prohibited by this contest event:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against Bluefin employees and/or customers
Any denial of service attacks
Public disclosure of an unpatched vulnerability in an embargoed bounty
Make every effort not to damage or restrict the availability of products, services, or infrastructure
Avoid compromising any personal data, interruption, or degradation of any service
Localize all tests to your accounts
Perform testing only within the scope
In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of Bluefin Company without appropriate permission

For more information, check: https://learn.bluefin.io/docs/

Discussion

We use Discord as official communication channel: https://discord.gg/YdTmZuRQ Join the channel, and create #support ticket to be added for conversation.

Disclosure Guidelines

Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
No vulnerability disclosure, including partial is allowed for the moment.
Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

The vulnerability must be a qualifying vulnerability
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must not be a former or current employee of us or one of its contractor.
Provide detailed but to-the point reproduction steps

Rewards Distribution

Total Prize Pool: $85k USDC
45k is a fixed pot which will be distributed for Low/Medium/High severity issues
Additional 40k will be unlocked for critical severity issues discovered: For the purpose of this contest, a critical vulnerability is defined as an issue that enables the theft of substantial user funds or protocol assets.

Please note: Minor or theoretical loss vectors — such as small rounding errors — do not qualify as critical, even if they technically result in direct fund movement. This definition is consistent with HackenProof’s Smart Contract Vulnerability Classification, and final decisions on severity will be made in collaboration with the project team.

We encourage researchers to submit all impactful findings, but only those meeting the strict “substantial fund theft” threshold will trigger the bonus payout.

🧮 Reward Splitting for Duplicate Findings If the same issue is reported by multiple researchers, the reward will be split using the following formula:

Final Reward = Severity Weight × (0.9 ^ (N - 1)) / N

Where:

Severity Weight =
- Low → 20
- Medium → 30
- High → 50
N = number of researchers who submitted the same valid issue
Rewards are normalized against the total contest allocation and severity budget

Example (for a High severity issue with a weight of 50):

1 researcher reports → receives 50 points
2 researchers report → each receives ≈ 22.5 points
3 researchers report → each receives ≈ 15 points

🧠 This system encourages early discovery and rewards uniqueness while ensuring all valid reporters are fairly acknowledged.

Setup Guide

📋 Prerequisites

Before starting, ensure you have the following installed on your system:

Requirement	Version	Installation Link
Git	Latest	git-scm.com
Node.js	v18.x or v20.x	nodejs.org
Yarn	Latest	yarnpkg.com
Rust	Latest (for Sui CLI)	rustup.rs

🚀 Quick Start

Step 1: Install Sui CLI

Choose the installation method that works best for your platform:

macOS (Recommended)

brew install sui

All Platforms (via Cargo)

cargo install --locked --git https://github.com/MystenLabs/sui.git --branch devnet sui

Verify Installation

sui --version
# Expected output: sui 1.x.x

Step 2: Clone Repositories

Set up your project workspace:

# Create and enter project directory
mkdir bluefin-dex-v3-workspace
cd bluefin-dex-v3-workspace

# Clone all required repositories
git clone https://github.com/hackenproof-public/bluefin-dex-contracts-v3.git
git clone https://github.com/hackenproof-public/library-sui.git
git clone https://github.com/hackenproof-public/pro-tests.git

# Navigate to main project
cd bluefin-dex-contracts-v3

Expected Directory Structure:

bluefin-dex-v3-workspace/
├── bluefin-dex-contracts-v3/    # 📁 Main contracts project
├── library-sui/                 # 📁 Sui TypeScript SDK
└── pro-tests/                   # 📁 Extended test suite

Step 3: Link Dependencies

Create symbolic links to connect dependencies:

# From inside bluefin-dex-contracts-v3/
ln -sf ../library-sui ./library-sui
ln -sf ../pro-tests ./pro-tests

Step 4: Install Dependencies

Install all Node.js packages:

# Install main project dependencies
yarn install

# Install library-sui dependencies
cd library-sui && yarn install && cd ..

💡 Node.js Version Issues? If you encounter compatibility errors, switch to Node.js 20:

nvm install 20 && nvm use 20

Step 5: Configure Sui Client

Initialize Sui for devnet development:

sui client

Configuration Prompts:

Config file doesn't exist, do you want to connect to a Sui Full node server [y/N]? → y
Sui Full node server URL → https://fullnode.devnet.sui.io:443
Environment alias for devnet Full node server → devnet
Select key scheme to generate keypair (0 for ed25519, 1 for secp256k1, 2 for secp256r1) → 0

🔐 Important: Save the generated Secret Recovery Phrase securely - you'll need it in the next step.

Step 6: Get Devnet Tokens

Request SUI tokens for testing:

sui client faucet

Verify you received tokens:

sui client gas
# You should see ~10 SUI tokens

Step 7: Configure Environment

Create your .env file:

cat > .env << 'EOF'
DEPLOY_ON=devnet
DEPLOYER_PHRASE=your_12_word_recovery_phrase_here
WALLET_SCHEME=ED25519
EOF

⚠️ Replace your_12_word_recovery_phrase_here with the actual recovery phrase from Step 5.

Step 8: Build Components

Build the project components in order:

# Build library-sui SDK first
cd library-sui && yarn build && cd ..

# Build smart contracts
yarn build

Step 9: Deploy to Devnet

Deploy contracts and run setup:

# Deploy contracts
yarn deploy

# Execute genesis transaction
yarn genesis

# Setup test environment
yarn setup:tests

💰 Low on SUI? Request more tokens: sui client faucet

Step 10: Run Tests

Execute the test suite:

yarn test

Expected Output:

  Test Executor
    ✓ Scenario 10-a: Tests a previous reversion when match price and oracle price are wide.

  1 passing (11s)

Additional materials

Internal stores docs
Margining engine docs

Bluefin Perp Audit Contest: Program info