STON.fi DEX Smart Contracts v2: Program info

IN SCOPE VULNERABILITIES (Smart Contracts)

Currently the scope of program only includes contracts v2.2.0, the same ones that are used by DEX in the mainnet. The scope might be extended with other versions in the future.

Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Critical

• Direct theft of any user funds
• Permanent freezing of funds
• Protocol insolvency

High

• Theft of unclaimed yield
• Freeze ability of other users to trade
• Temporary freezing of funds

Medium

• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

OUT OF SCOPE VULNERABILITIES (Smart Contracts)

The following issues are excluded from the rewards for this Bug Bounty program:

• Lack of liquidity
• Best practice critiques
• Centralization risks
• Issues with information about user balances
• Cases with disguising one asset with another asset
• Any kind of optimization/logic improvements/coding style improvements
• Issues related to lp jetton wallets
• Issues related to contract deletion caused by inability to pay rent
• Issues related to gas optimisation
• Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.

The following activities are prohibited by this Bug Bounty program:

• Any testing with mainnet.
• Any testing with pricing oracles or third party Smart Contracts.
• Attempting phishing or other social engineering attacks against our employees and/or customers.
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
• Automated testing of services that generates significant amounts of traffic.
• Any denial of service attacks.
• All testing should be done on testnet. We specifically deployed smart contracts on the testnet.

Router address - kQAFpeGFJQA9KqiCxXZ8J4l__vSYAxFSirSOvPHn6SSX4ztn. Also you can see on tonscan.

And please see dex-core repo.

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs.

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability.
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com.
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded).
• Provide detailed but to-the point reproduction steps.