Bluefin Audit Contest

Triaged by HackenProof
Live
Contest ends in 10 days

Decentralized perpetuals with blazing-fast settlement, backed by @Polychain, BH Digital, SIG, and Tower Research.

In Scope

Target Type Severity Reward
https://github.com/hackenproof/bluefin-exchange-contracts-sui
  • Move based
  • mLOC: 6566

Please contact our support team to get access to scope.

Smart Contract Critical Bounty
https://github.com/hackenproof/elixir_bluefin_integration
  • Move based
  • mLOC: 1227

Please contact our support team to get access to scope.

Smart Contract Critical Bounty
Target
https://github.com/hackenproof/bluefin-exchange-contracts-sui
  • Move based
  • mLOC: 6566

Please contact our support team to get access to scope.

Type
Smart Contract
Severity
Critical
Reward
Bounty
Target
https://github.com/hackenproof/elixir_bluefin_integration
  • Move based
  • mLOC: 1227

Please contact our support team to get access to scope.

Type
Smart Contract
Severity
Critical
Reward
Bounty

IN-SCOPE VULNERABILITIES

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

  • Any governance voting result manipulation
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Insolvency
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds
  • Smart contract unable to operate due to lack of funds
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption
  • Smart contract fails to deliver promised returns, but doesn’t lose value
  • Functional correctness of implementation even if it's not directly impacting user funds
  • Best practices, architectural flaws and other types of issues are included at discretion of Bluefin's team.

OUT OF SCOPE

  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this contest event:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against Bluefin employees and/or customers
  • Any denial of service attacks
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Make every effort not to damage or restrict the availability of products, services, or infrastructure
  • Avoid compromising any personal data, interruption, or degradation of any service
  • Localize all tests to your accounts
  • Perform testing only within the scope
  • In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of Bluefin Company without appropriate permission

For more information, check: https://learn.bluefin.io/docs/

Discussion

We use Discord as official communication channel: https://bit.ly/3OBQ1QH
Join the channel, and create #support ticket to be added for conversation.

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • Provide detailed but to-the point reproduction steps

SUI CLI setup

The quickest way to install Sui is using the binaries delivered with every release. If you require more control over the install process, you can install from source. To take advantage of containerization, you can utilize the Docker images in the docker folder of the sui repository.

Install SUI using Homebrew

If you use Homebrew, you can install Sui with the following commands:

brew tap mystenlabs/tap
brew install mystenlabs/tap/sui

Install SUI from binaries

Each Sui release provides a set of binaries for several operating systems. You can download these binaries from GitHub and use them to install Sui.

  1. Go to https://github.com/MystenLabs/sui.
  2. In the right pane, find the Releases section.
  3. Click the release tagged Latest to open the release's page.
  4. In the Assets section of the release, select the .tgz compressed file that corresponds to your operating system.
  5. Double-click the downloaded file. If the file doesn't automatically expand, manually unzip the file.
  6. Open the expanded folder and double-click the appropriate binary to install, beginning with sui-<OS>-<ARCHITECTURE>:
    • sui-faucet-<OS>-<ARCHITECTURE>: Local faucet to mint coins on local network.
    • sui-indexer-<OS>-<ARCHITECTURE>: An indexer for a local Sui network.
    • sui-<OS>-<ARCHITECTURE>: Main Sui binary.
    • sui-node-<OS>-<ARCHITECTURE>: Run a local node.
    • sui-test-validator-<OS>-<ARCHITECTURE>: Run test validators on a local network for development.
    • sui-tool-<OS>-<ARCHITECTURE>: Provides utilities for Sui.

The Sui binary takes several minutes to download and install files, so make sure you allocate enough time for it to complete. Actual time to complete depends on your network connection and computer specifications.

Install SUI from source

Rust and Cargo

Use the following command to install Rust and Cargo on macOS or Linux:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

Install all Linux prerequisites

Reference the relevant sections that follow to install each prerequisite individually, or run the following to install them all at once:

sudo apt-get install curl git-all cmake gcc libssl-dev pkg-config libclang-dev libpq-dev build-essential

More information about SUI CLI installation:

https://docs.sui.io/guides/developer/getting-started/sui-install

Bluefin Exchange Contracts Sui deploy

1.Clone the Bluefin project and navigate to its folder:

git clone https://github.com/hackenproof/bluefin-exchange-contracts-sui.git && cd bluefin-exchange-contracts-sui

2.Clone submodules with the following command:

yarn submodules

3.Navigate to library-sui submodule directory and build it with yarn:

cd submodules/library-sui && yarn build

4.From the project root directory execute yarn to install dependencies.

5.Create SUI wallet:

sui client new-address secp256k1

6.Create .env file using .env.example provided. Specify the DEPLOYER\_SEED (secp256k1) and DEPLOY_ON (See submodules/library-sui/networks.json for available networks to deploy) The Deployer account must be in sui-client addresses.

cp .env.example .env

After this please follow the following schemes for deploying on testnet/mainnet/local.

Deploy to the local network or testnet with fake pyth

In the .env file set DEPLOY\_ON parameter to local or testnet and ENV to DEV

Example:

DEPLOY_ON = testnet
ENV = DEV

Join SUI Discord server through the following link: https://discord.gg/sui

Navigate to Sui #devnet-faucet or #testnet-faucet Discord channels and send the following message to receive testnet SUI tokens to cover gas costs

!faucet your_sui_wallet_address

Run following commands to deploy entire project to the testnet

yarn deploy:pyth
yarn deploy

For deploying project to testnet with real pyth or mainnet, please check the official Bluefin documentation:

https://github.com/hackenproof/bluefin-exchange-contracts-sui/tree/main?tab=readme-ov-file#for-deploying-on-testnet-with-real-pyth-1

Test execution

1.Fund deployer using yarn faucet --account <acct_address>
2.Fund testing accounts using yarn fund:test:accounts
3.Deploy the package using yarn deploy, Every time any change is made to package, it will need to be re-deployed before running tests
4.Run tests using yarn test

File Lines of Code
error.move 282
evaluator.move 320
events.move 56
exchange.move 933
funding_rate.move 164
library.move 199
margin_bank.move 460
margin_math.move 88
order.move 375
perpetual.move 774
position.move 264
roles.move 523
signed_number.move 174
test.move 98
test_coin.move 28
vaults.move 124
isolated_adl.move 292
isolated_liquidation.move 427
isolated_trading.move 456
error_pyth.move 5
event.move 27
i64.move 115
price.move 40
price_feed.move 41
price_identifier.move 17
price_info.move 241
pyth.move 43
bluefin_vault.move 502
constants.move 38
distributor.move 202
errors.move 67
events.move 196
maths.move 12
roles.move 160
signed_number.move 50
Total Lines of Code 7793
  • 40% for critical issues
  • 30% for high issues
  • 15% for medium issues
  • 5% gas optimization issues, best practices
    Read more: https://docs.hackenproof.com/