Decentralized perpetuals with blazing-fast settlement, backed by @Polychain, BH Digital, SIG, and Tower Research.
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/hackenproof-public/bluefin-dex-contracts-v3 Copy Out of Scope:
Please contact our support team in Discord to get access to scope. | Smart Contract | Critical | Bounty |
Out of Scope:
Please contact our support team in Discord to get access to scope.
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
validate_tx_replay
function is vulnerable to transaction replay for a KMS wallet where for the same data payload it can have two different unique signaturesThe following activities are prohibited by this contest event:
For more information, check: https://learn.bluefin.io/docs/
We use Discord as official communication channel: https://discord.gg/YdTmZuRQ Join the channel, and create #support ticket to be added for conversation.
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
Please note: Minor or theoretical loss vectors — such as small rounding errors — do not qualify as critical, even if they technically result in direct fund movement. This definition is consistent with HackenProof’s Smart Contract Vulnerability Classification, and final decisions on severity will be made in collaboration with the project team.
We encourage researchers to submit all impactful findings, but only those meeting the strict “substantial fund theft” threshold will trigger the bonus payout.
🧮 Reward Splitting for Duplicate Findings If the same issue is reported by multiple researchers, the reward will be split using the following formula:
Final Reward = Severity Weight × (0.9 ^ (N - 1)) / N
Where:
Severity Weight =
N = number of researchers who submitted the same valid issue
Rewards are normalized against the total contest allocation and severity budget
Example (for a High severity issue with a weight of 50):
🧠 This system encourages early discovery and rewards uniqueness while ensuring all valid reporters are fairly acknowledged.
Before starting, ensure you have the following installed on your system:
Requirement | Version | Installation Link |
---|---|---|
Git | Latest | git-scm.com |
Node.js | v18.x or v20.x | nodejs.org |
Yarn | Latest | yarnpkg.com |
Rust | Latest (for Sui CLI) | rustup.rs |
Choose the installation method that works best for your platform:
brew install sui
cargo install --locked --git https://github.com/MystenLabs/sui.git --branch devnet sui
sui --version
# Expected output: sui 1.x.x
Set up your project workspace:
# Create and enter project directory
mkdir bluefin-dex-v3-workspace
cd bluefin-dex-v3-workspace
# Clone all required repositories
git clone https://github.com/hackenproof-public/bluefin-dex-contracts-v3.git
git clone https://github.com/hackenproof-public/library-sui.git
git clone https://github.com/hackenproof-public/pro-tests.git
# Navigate to main project
cd bluefin-dex-contracts-v3
Expected Directory Structure:
bluefin-dex-v3-workspace/
├── bluefin-dex-contracts-v3/ # 📁 Main contracts project
├── library-sui/ # 📁 Sui TypeScript SDK
└── pro-tests/ # 📁 Extended test suite
Create symbolic links to connect dependencies:
# From inside bluefin-dex-contracts-v3/
ln -sf ../library-sui ./library-sui
ln -sf ../pro-tests ./pro-tests
Install all Node.js packages:
# Install main project dependencies
yarn install
# Install library-sui dependencies
cd library-sui && yarn install && cd ..
💡 Node.js Version Issues? If you encounter compatibility errors, switch to Node.js 20:
nvm install 20 && nvm use 20
Initialize Sui for devnet development:
sui client
Configuration Prompts:
Config file doesn't exist, do you want to connect to a Sui Full node server [y/N]?
→ y
Sui Full node server URL
→ https://fullnode.devnet.sui.io:443
Environment alias for devnet Full node server
→ devnet
Select key scheme to generate keypair (0 for ed25519, 1 for secp256k1, 2 for secp256r1)
→ 0
🔐 Important: Save the generated Secret Recovery Phrase securely - you'll need it in the next step.
Request SUI tokens for testing:
sui client faucet
Verify you received tokens:
sui client gas
# You should see ~10 SUI tokens
Create your .env
file:
cat > .env << 'EOF'
DEPLOY_ON=devnet
DEPLOYER_PHRASE=your_12_word_recovery_phrase_here
WALLET_SCHEME=ED25519
EOF
⚠️ Replace your_12_word_recovery_phrase_here
with the actual recovery phrase from Step 5.
Build the project components in order:
# Build library-sui SDK first
cd library-sui && yarn build && cd ..
# Build smart contracts
yarn build
Deploy contracts and run setup:
# Deploy contracts
yarn deploy
# Execute genesis transaction
yarn genesis
# Setup test environment
yarn setup:tests
💰 Low on SUI? Request more tokens: sui client faucet
Execute the test suite:
yarn test
Expected Output:
Test Executor
✓ Scenario 10-a: Tests a previous reversion when match price and oracle price are wide.
1 passing (11s)