Audit
Triaged by Hackenproof

Bluefin Perp Audit Contest: Program info

Bluefin Perp Audit Contest

Company: Bluefin
KYC required POC required
Live
Contest is active now
Program infoHackers (24)Reports

Decentralized perpetuals with blazing-fast settlement, backed by @Polychain, BH Digital, SIG, and Tower Research.

In scope
TargetTypeSeverityReward
https://github.com/hackenproof-public/bluefin-dex-contracts-v3
copy
Copy
success Copied

Out of Scope:

  • Anything outside the sources folder
  • test_coin.move file in the sources folder
  • deleverage() function inside exchange.move

Please contact our support team in Discord to get access to scope.

Smart Contract
Critical
Bounty
Target
https://github.com/hackenproof-public/bluefin-dex-contracts-v3
copy
Copy
success Copied

Out of Scope:

  • Anything outside the sources folder
  • test_coin.move file in the sources folder
  • deleverage() function inside exchange.move

Please contact our support team in Discord to get access to scope.

TypeSmart Contract
Severity
Critical
RewardBounty

Focus Area

IN-SCOPE VULNERABILITIES

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

  • Any governance voting result manipulation
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Insolvency
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds
  • Smart contract unable to operate due to lack of funds
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption
  • Smart contract fails to deliver promised returns, but doesn’t lose value
  • Functional correctness of implementation even if it's not directly impacting user funds
  • Best practices, architectural flaws and other types of issues are included at discretion of Bluefin's team.

OUT OF SCOPE

  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Sybil attacks
  • Centralization risks
  • Bluefin doesn't support multi collateral assets yet and all issues around that are out of scope
  • The sequencer is considered a trusted party and all issues regarding it acting maliciously or incorrectly are out of scope
  • Auto deleveraging is out of scope
  • USDC/USDT are considered to be always pegged to 1$
  • validate_tx_replay function is vulnerable to transaction replay for a KMS wallet where for the same data payload it can have two different unique signatures

Program Rules

The following activities are prohibited by this contest event:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against Bluefin employees and/or customers
  • Any denial of service attacks
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Localize all tests to your accounts
  • Perform testing only within the scope
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of Bluefin Company without appropriate permission

For more information, check: https://learn.bluefin.io/docs/

Discussion

We use Discord as official communication channel: https://discord.gg/YdTmZuRQ Join the channel, and create #support ticket to be added for conversation.

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • Provide detailed but to-the point reproduction steps

Rewards Distribution

  • Total Prize Pool: $85k USDC
  • 45k is a fixed pot which will be distributed for Low/Medium/High severity issues
  • Additional 40k will be unlocked for critical severity issues discovered: For the purpose of this contest, a critical vulnerability is defined as an issue that enables the theft of substantial user funds or protocol assets.

Please note: Minor or theoretical loss vectors — such as small rounding errors — do not qualify as critical, even if they technically result in direct fund movement. This definition is consistent with HackenProof’s Smart Contract Vulnerability Classification, and final decisions on severity will be made in collaboration with the project team.

We encourage researchers to submit all impactful findings, but only those meeting the strict “substantial fund theft” threshold will trigger the bonus payout.

🧮 Reward Splitting for Duplicate Findings If the same issue is reported by multiple researchers, the reward will be split using the following formula:

Final Reward = Severity Weight × (0.9 ^ (N - 1)) / N

Where:

  • Severity Weight =

    • Low → 20
    • Medium → 30
    • High → 50
  • N = number of researchers who submitted the same valid issue

  • Rewards are normalized against the total contest allocation and severity budget

Example (for a High severity issue with a weight of 50):

  • 1 researcher reports → receives 50 points
  • 2 researchers report → each receives ≈ 22.5 points
  • 3 researchers report → each receives ≈ 15 points

🧠 This system encourages early discovery and rewards uniqueness while ensuring all valid reporters are fairly acknowledged.

Setup Guide

📋 Prerequisites

Before starting, ensure you have the following installed on your system:

Requirement Version Installation Link
Git Latest git-scm.com
Node.js v18.x or v20.x nodejs.org
Yarn Latest yarnpkg.com
Rust Latest (for Sui CLI) rustup.rs

🚀 Quick Start

Step 1: Install Sui CLI

Choose the installation method that works best for your platform:

macOS (Recommended)

brew install sui

All Platforms (via Cargo)

cargo install --locked --git https://github.com/MystenLabs/sui.git --branch devnet sui

Verify Installation

sui --version
# Expected output: sui 1.x.x

Step 2: Clone Repositories

Set up your project workspace:

# Create and enter project directory
mkdir bluefin-dex-v3-workspace
cd bluefin-dex-v3-workspace

# Clone all required repositories
git clone https://github.com/hackenproof-public/bluefin-dex-contracts-v3.git
git clone https://github.com/hackenproof-public/library-sui.git
git clone https://github.com/hackenproof-public/pro-tests.git

# Navigate to main project
cd bluefin-dex-contracts-v3

Expected Directory Structure:

bluefin-dex-v3-workspace/
├── bluefin-dex-contracts-v3/    # 📁 Main contracts project
├── library-sui/                 # 📁 Sui TypeScript SDK
└── pro-tests/                   # 📁 Extended test suite

Step 3: Link Dependencies

Create symbolic links to connect dependencies:

# From inside bluefin-dex-contracts-v3/
ln -sf ../library-sui ./library-sui
ln -sf ../pro-tests ./pro-tests

Step 4: Install Dependencies

Install all Node.js packages:

# Install main project dependencies
yarn install

# Install library-sui dependencies
cd library-sui && yarn install && cd ..

💡 Node.js Version Issues? If you encounter compatibility errors, switch to Node.js 20:

nvm install 20 && nvm use 20

Step 5: Configure Sui Client

Initialize Sui for devnet development:

sui client

Configuration Prompts:

  • Config file doesn't exist, do you want to connect to a Sui Full node server [y/N]?y
  • Sui Full node server URLhttps://fullnode.devnet.sui.io:443
  • Environment alias for devnet Full node serverdevnet
  • Select key scheme to generate keypair (0 for ed25519, 1 for secp256k1, 2 for secp256r1)0

🔐 Important: Save the generated Secret Recovery Phrase securely - you'll need it in the next step.

Step 6: Get Devnet Tokens

Request SUI tokens for testing:

sui client faucet

Verify you received tokens:

sui client gas
# You should see ~10 SUI tokens

Step 7: Configure Environment

Create your .env file:

cat > .env << 'EOF'
DEPLOY_ON=devnet
DEPLOYER_PHRASE=your_12_word_recovery_phrase_here
WALLET_SCHEME=ED25519
EOF

⚠️ Replace your_12_word_recovery_phrase_here with the actual recovery phrase from Step 5.

Step 8: Build Components

Build the project components in order:

# Build library-sui SDK first
cd library-sui && yarn build && cd ..

# Build smart contracts
yarn build

Step 9: Deploy to Devnet

Deploy contracts and run setup:

# Deploy contracts
yarn deploy

# Execute genesis transaction
yarn genesis

# Setup test environment
yarn setup:tests

💰 Low on SUI? Request more tokens: sui client faucet

Step 10: Run Tests

Execute the test suite:

yarn test

Expected Output:

  Test Executor
    ✓ Scenario 10-a: Tests a previous reversion when match price and oracle price are wide.

  1 passing (11s)

Additional materials

  • Internal stores docs
  • Margining engine docs
Duration
Start date18 Jun 2025
End date16 Jul 2025
Rewards
Range of bounty$45,000 - $85,000
Severity
Critical
$40,000
High
$0 - $45,000
Medium
$0 - $45,000
Low
$0 - $45,000
Stats
Scope Review44659
Submissions135
Total rewards$0
Types
smart contract
Languages
Move
Hackers (24) View all
Bauer
2
@zckyc
zc
3
Kassy Olisakwe
4
alex babits
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response3d
Triage Time30d
Reward Time40d
Resolution Time30d