Bluefin Dex Contracts: Program Info

Bluefin is a decentralized spot and derivatives exchange on Sui.

In scope

Target	Type	Severity
https://github.com/hackenproof-public/bluefin-dex-contracts-v3 Copy Copied Out of Scope: * Anything outside the sources folder * test_coin.move file in the sources folder * deleverage() function inside exchange.move Please contact our support team in Discord to get access to scope.	Smart Contract	Critical

Target

https://github.com/hackenproof-public/bluefin-dex-contracts-v3

Copied

Out of Scope: * Anything outside the sources folder * test_coin.move file in the sources folder * deleverage() function inside exchange.move Please contact our support team in Discord to get access to scope.

TypeSmart Contract

Severity

Critical

Focus Area

IN SCOPE VULNERABILITIES: Smart Contracts

We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:

Stealing or loss of funds
Unauthorized transaction
Transaction manipulation
Attacks on logic (behavior of the code is different from the business description)
Reentrancy
Reordering
Over and underflows

OUT OF SCOPE VULNERABILITIES: Smart Contracts

Theoretical vulnerabilities without any proof or demonstration
Old compiler version
The compiler version is not locked
Vulnerabilities in imported contracts
Code style guide violations
Redundant code
Gas optimizations
Best practice issues
Vulnerabilities that can be exploited through front-run attacks only
Multiple assets are not supported yet

Please note: Minor or theoretical loss vectors — such as small rounding errors — do not qualify as critical, even if they technically result in direct fund movement. This definition is consistent with HackenProof’s Smart Contract Vulnerability Classification, and final decisions on severity will be made in collaboration with the project team.

Program Rules

Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
Make every effort not to damage or restrict the availability of products, services, or infrastructure
Avoid compromising any personal data, interruption, or degradation of any service
Don’t access or modify other user data, localize all tests to your accounts
Perform testing only within the scope
Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
Don’t spam forms or account creation flows using automated scanners
In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
Don’t break any law and stay in the defined scope
Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission For more information, check: https://learn.bluefin.io/docs/

Disclosure Guidelines

Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
No vulnerability disclosure, including partial is allowed for the moment.
Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability
Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
You must not be a former or current employee of us or one of its contractor.
ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
Provide detailed but to-the point reproduction steps
AI-generated reports without runable PoC are not accepted under this program.

Setup Guide

📋 Prerequisites

Before starting, ensure you have the following installed on your system:

Requirement	Version	Installation Link
Git	Latest	git-scm.com
Node.js	v18.x or v20.x	nodejs.org
Yarn	Latest	yarnpkg.com
Rust	Latest (for Sui CLI)	rustup.rs

🚀 Quick Start

Step 1: Install Sui CLI

Choose the installation method that works best for your platform:

macOS (Recommended)

brew install sui

All Platforms (via Cargo)

cargo install --locked --git https://github.com/MystenLabs/sui.git --branch devnet sui

Verify Installation

sui --version
# Expected output: sui 1.x.x

Step 2: Clone Repositories

Set up your project workspace:

# Create and enter project directory
mkdir bluefin-dex-v3-workspace
cd bluefin-dex-v3-workspace

# Clone all required repositories
git clone https://github.com/hackenproof-public/bluefin-dex-contracts-v3.git
git clone https://github.com/hackenproof-public/library-sui.git
git clone https://github.com/hackenproof-public/pro-tests.git

# Navigate to main project
cd bluefin-dex-contracts-v3

Expected Directory Structure:

bluefin-dex-v3-workspace/
├── bluefin-dex-contracts-v3/    # 📁 Main contracts project
├── library-sui/                 # 📁 Sui TypeScript SDK
└── pro-tests/                   # 📁 Extended test suite

Step 3: Link Dependencies

Create symbolic links to connect dependencies:

# From inside bluefin-dex-contracts-v3/
ln -sf ../library-sui ./library-sui
ln -sf ../pro-tests ./pro-tests

Step 4: Install Dependencies

Install all Node.js packages:

# Install main project dependencies
yarn install

# Install library-sui dependencies
cd library-sui && yarn install && cd ..

💡 **Node.js Version Issues? **If you encounter compatibility errors, switch to Node.js 20:

nvm install 20 && nvm use 20

Step 5: Configure Sui Client

Initialize Sui for devnet development:

sui client

Configuration Prompts:

Config file doesn't exist, do you want to connect to a Sui Full node server [y/N]? → y
Sui Full node server URL → https://fullnode.devnet.sui.io:443
Environment alias for devnet Full node server → devnet
Select key scheme to generate keypair (0 for ed25519, 1 for secp256k1, 2 for secp256r1) → 0 🔐 Important: Save the generated Secret Recovery Phrase securely - you'll need it in the next step.

Step 6: Get Devnet Tokens

Request SUI tokens for testing:

sui client faucet

Verify you received tokens:

sui client gas
# You should see ~10 SUI tokens

Step 7: Configure Environment

Create your .env file:

cat > .env << 'EOF'
DEPLOY_ON=devnet
DEPLOYER_PHRASE=your_12_word_recovery_phrase_here
WALLET_SCHEME=ED25519
EOF

⚠️ Replace your_12_word_recovery_phrase_here with the actual recovery phrase from Step 5.

Step 8: Build Components

Build the project components in order:

# Build library-sui SDK first
cd library-sui && yarn build && cd ..

# Build smart contracts
yarn build

Step 9: Deploy to Devnet

Deploy contracts and run setup:

# Deploy contracts
yarn deploy

# Execute genesis transaction
yarn genesis

# Setup test environment
yarn setup:tests

💰 Low on SUI? Request more tokens: sui client faucet

Step 10: Run Tests

Execute the test suite:

yarn test

Expected Output:

  Test Executor
    ✓ Scenario 10-a: Tests a previous reversion when match price and oracle price are wide.

  1 passing (11s)

Bluefin Dex Contracts: Program info