Decentralized perpetuals with blazing-fast settlement, backed by @Polychain, BH Digital, SIG, and Tower Research.
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/hackenproof/bluefin-exchange-contracts-sui
!! Only smart contracts residing in the bluefin _ foundation folder (excluding test.move and test_coin.move) are in scope. The rest is there to make testing easier !! Please contact our support team to get access to scope. |
Smart Contract | Critical | Bounty |
https://github.com/hackenproof/elixir_bluefin_integration
Please contact our support team to get access to scope. |
Smart Contract | Critical | Bounty |
https://github.com/hackenproof/bluefin-exchange-contracts-sui
- Move based
- mLOC: 6566
!! Only smart contracts residing in the bluefin _ foundation folder (excluding test.move and test_coin.move) are in scope. The rest is there to make testing easier !!
Please contact our support team to get access to scope.
https://github.com/hackenproof/elixir_bluefin_integration
- Move based
- mLOC: 1227
Please contact our support team to get access to scope.
IN-SCOPE VULNERABILITIES
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Any governance voting result manipulation
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Insolvency
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds
- Smart contract unable to operate due to lack of funds
- Block stuffing for profit
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
- Smart contract fails to deliver promised returns, but doesn’t lose value
- Functional correctness of implementation even if it's not directly impacting user funds
- Best practices, architectural flaws and other types of issues are included at discretion of Bluefin's team.
OUT OF SCOPE
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Sybil attacks
- Centralization risks
The following activities are prohibited by this contest event:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against Bluefin employees and/or customers
- Any denial of service attacks
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Localize all tests to your accounts
- Perform testing only within the scope
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of Bluefin Company without appropriate permission
For more information, check: https://learn.bluefin.io/docs/
Discussion
We use Discord as official communication channel: https://bit.ly/3OBQ1QH
Join the channel, and create #support ticket to be added for conversation.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- Provide detailed but to-the point reproduction steps
SUI CLI setup
The quickest way to install Sui is using the binaries delivered with every release. If you require more control over the install process, you can install from source. To take advantage of containerization, you can utilize the Docker images in the docker folder of the sui repository.
Install SUI using Homebrew
If you use Homebrew, you can install Sui with the following commands:
brew tap mystenlabs/tap
brew install mystenlabs/tap/sui
Install SUI from binaries
Each Sui release provides a set of binaries for several operating systems. You can download these binaries from GitHub and use them to install Sui.
- Go to https://github.com/MystenLabs/sui.
- In the right pane, find the Releases section.
- Click the release tagged Latest to open the release's page.
- In the Assets section of the release, select the .tgz compressed file that corresponds to your operating system.
- Double-click the downloaded file. If the file doesn't automatically expand, manually unzip the file.
- Open the expanded folder and double-click the appropriate binary to install, beginning with sui-<OS>-<ARCHITECTURE>:
- sui-faucet-<OS>-<ARCHITECTURE>: Local faucet to mint coins on local network.
- sui-indexer-<OS>-<ARCHITECTURE>: An indexer for a local Sui network.
- sui-<OS>-<ARCHITECTURE>: Main Sui binary.
- sui-node-<OS>-<ARCHITECTURE>: Run a local node.
- sui-test-validator-<OS>-<ARCHITECTURE>: Run test validators on a local network for development.
- sui-tool-<OS>-<ARCHITECTURE>: Provides utilities for Sui.
The Sui binary takes several minutes to download and install files, so make sure you allocate enough time for it to complete. Actual time to complete depends on your network connection and computer specifications.
Install SUI from source
Rust and Cargo
Use the following command to install Rust and Cargo on macOS or Linux:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Install all Linux prerequisites
Reference the relevant sections that follow to install each prerequisite individually, or run the following to install them all at once:
sudo apt-get install curl git-all cmake gcc libssl-dev pkg-config libclang-dev libpq-dev build-essential
More information about SUI CLI installation:
https://docs.sui.io/guides/developer/getting-started/sui-install
Bluefin Exchange Contracts Sui deploy
1.Clone the Bluefin project and navigate to its folder:
git clone https://github.com/hackenproof/bluefin-exchange-contracts-sui.git && cd bluefin-exchange-contracts-sui
2.Clone submodules with the following command:
yarn submodules
3.Navigate to library-sui
submodule directory and build it with yarn
:
cd submodules/library-sui && yarn build
4.From the project root directory execute yarn
to install dependencies.
5.Create SUI wallet:
sui client new-address secp256k1
6.Create .env
file using .env.example
provided. Specify the DEPLOYER\_SEED
(secp256k1) and DEPLOY_ON
(See submodules/library-sui/networks.json for available networks to deploy) The Deployer account must be in sui-client addresses.
cp .env.example .env
After this please follow the following schemes for deploying on testnet/mainnet/local.
Deploy to the local network or testnet with fake pyth
In the .env
file set DEPLOY\_ON
parameter to local
or testnet
and ENV
to DEV
Example:
DEPLOY_ON = testnet
ENV = DEV
Join SUI Discord server through the following link: https://discord.gg/sui
Navigate to Sui #devnet-faucet or #testnet-faucet Discord channels and send the following message to receive testnet SUI tokens to cover gas costs
!faucet your_sui_wallet_address
Run following commands to deploy entire project to the testnet
yarn deploy:pyth
yarn deploy
For deploying project to testnet with real pyth or mainnet, please check the official Bluefin documentation:
Test execution
1.Fund deployer using yarn faucet --account <acct_address>
2.Fund testing accounts using yarn fund:test:accounts
3.Deploy the package using yarn deploy
, Every time any change is made to package, it will need to be re-deployed before running tests
4.Run tests using yarn test
File | Lines of Code |
---|---|
error.move | 282 |
evaluator.move | 320 |
events.move | 56 |
exchange.move | 933 |
funding_rate.move | 164 |
library.move | 199 |
margin_bank.move | 460 |
margin_math.move | 88 |
order.move | 375 |
perpetual.move | 774 |
position.move | 264 |
roles.move | 523 |
signed_number.move | 174 |
test.move | 98 |
test_coin.move | 28 |
vaults.move | 124 |
isolated_adl.move | 292 |
isolated_liquidation.move | 427 |
isolated_trading.move | 456 |
error_pyth.move | 5 |
event.move | 27 |
i64.move | 115 |
price.move | 40 |
price_feed.move | 41 |
price_identifier.move | 17 |
price_info.move | 241 |
pyth.move | 43 |
bluefin_vault.move | 502 |
constants.move | 38 |
distributor.move | 202 |
errors.move | 67 |
events.move | 196 |
maths.move | 12 |
roles.move | 160 |
signed_number.move | 50 |
Total Lines of Code | 7793 |
- 40% for critical issues
- 30% for high issues
- 15% for medium issues
- 5% gas optimization issues, best practices
Read more: https://docs.hackenproof.com/