DexLyn Smart Contract Audit Contest: Program info

In-Scope Vulnerabilities – Smart Contracts

We are seeking well-reasoned and demonstrable issues in the smart contract code that lead to unintended behavior, including but not limited to:

• Theft or loss of funds
• Unauthorized transactions
• Transaction tampering or manipulation
• Business logic violations (code behaves differently than described/intended)
• Reentrancy attacks
• Transaction reordering
• Integer overflows and underflows

Out-of-Scope Vulnerabilities – Smart Contracts

The following are not considered valid findings for the scope of this assessment:

• Hypothetical or unproven vulnerabilities
• Use of outdated compiler versions
• Missing compiler version lock
• Issues in imported contracts not maintained by the project
• Violations of coding style or formatting standards
• Redundant or unused code
• Gas inefficiencies
• General best practice deviations
• Vulnerabilities only exploitable via front-running
• Unit tests within the sources folder of DexlynClmm
• Tests Directory inside DexlynClmm
• Unit tests within the sources folder of IntegerMate
• acl.move file inside the sources folder of DexlynClmm

Note:

Minor or purely theoretical fund loss cases — such as those arising from negligible rounding errors — will not be treated as critical vulnerabilities, even if they technically result in value movement.

The following activities are prohibited by this contest event:

• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against employees and/or customers
• Any denial of service attacks
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Localize all tests to your accounts
• Perform testing only within the scope
• If multiple chain-level issues are discovered, only the most severe will be rewarded
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of DexLyn Company without appropriate permission
• Discussion

We use Discord as official communication channel: https://discord.gg/Adz252RRFr Join the channel, and create #support ticket to be added for conversation.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• Rewards may be reduced or disqualified if details are publicly shared prior to fix.
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We may offer coordinated disclosure opportunities after vulnerabilities are remediated and upon mutual agreement.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps
• AI-generated reports without runable PoC are not accepted under this program.

For duplicated reports:

1. The original report receives 70% of the reward.
2. A duplicate receives 30%.
3. If there are two duplicates, the 30% will be divided between them (so the split becomes 70%, 15%, 15%).