SuiDeX Audit Contest : Program info

Program Details

• Language: Sui Move
• Network: Sui Mainnet/Testnet
• Payment: USDC (rewards determined by severity and impact)

Key Risk Areas to Test

Critical/High Priority:

• Arithmetic Overflow in fixed_point_math.move
• Reentrancy in swap/farming operations
• Access Control bypass in admin functions
• Fund Loss scenarios in all contracts

Medium Priority:

• Reward Precision loss in farm calculations
• Epoch Management errors in token locker
• Fee Distribution miscalculations

Low Priority:

• Emergency Pause functionality
• Input validation edge cases
• Business logic inconsistencies

IN-SCOPE VULNERABILITIES

Critical

• Direct theft of any user funds (at-rest or in-motion) across any liquidity pair or supported Coin<T> type • Permanent freezing of user funds in pools, lockers, or farming contracts • Insolvency conditions where the protocol cannot fulfill user withdrawals • Theft or loss of claimable Victory rewards • Manipulation of the fee structure to redirect developer or LP rewards • Smart contract unable to operate due to lack of funds or broken state logic • Circumvention of access control modifiers (e.g., only_owner, only_admin, only_authority)

High

• Temporary freezing or locking of funds in liquidity and farm • Failure of reward distribution logic in Farms, VictoryLocker, or Router modules • Replay or reentrancy issues across trade, claim, and withdrawal flows • Price manipulation exploits impacting value returned from swaps, zaps, or LP removals • Gas griefing (e.g., unnecessary state growth, vec bloat, or overflow risks in per-user data) • Pool inflation or abuse of add_liquidity, or claim_and_lock functions

Medium

• Incorrect share calculations in LP tokens, staked positions, or reward weights • LP or staking position dilution under certain liquidity migration edge cases • Misuse of clock, timestamp, or outdated reference values in emissions or locking schedules • Math or logic errors in APR boost, reward decay, or locking mechanics

Low

• Unbounded gas usage (especially in claim_all and compound) • Missing checks that could result in unintended locking, burning, or reward denial • Logic bypass via invalid types, zero address abuse, or unchecked external calls • Architectural flaws, misnamed fields, or unsafe default behaviors

OU-OF-SCOPE VULNERABILITIES

These are explicitly excluded from reward eligibility under this audit competition: • Incorrect data supplied by third-party oracles (price or TWAP manipulation via upstream feeds) • Flash loan exploits that require unrealistic market conditions • Basic economic governance attacks (e.g., 51% vote control outside protocol logic) • Lack of protocol liquidity or low TVL-related UX failure • Sybil attacks • Centralization risk

Theoretical vulnerabilities without PoC (for Critical/High)

• Code style and gas optimization suggestions
• Sui framework vulnerabilities
• Frontend/UI issues
• MEV/front-running attacks (unless direct fund loss)
• Test files and documentation
• Already known issues documented in README
• Issues requiring extensive social engineering

The following activities are prohibited by this contest event:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against employees and/or customers
• Any denial of service attacks
• Public disclosure of an unpatched vulnerability in an embargoed bounty
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Localize all tests to your accounts
• Perform testing only within the scope
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of SuiDeX Company without appropriate permission

Discussion

We use Discord as official communication channel: https://discord.gg/XMCGNkGmBD Join the channel, and create #support ticket to be added for conversation.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• Provide detailed but to-the point reproduction steps