Summary

The Wyvern Protocol is an open framework for the trustless exchange of digital assets. Using the Wyvern Protocol, you’ll be able to buy or sell any asset representable on the Ethereum blockchain, from virtual kittens to smart contracts, with zero counterparty risk. The Wyvern Exchange, the first frontend interfacing with the protocol, will be deployed on the Ethereum mainnet in about a week. Before we launch, we’d like to open up bug hunting to the community at large. We think our smart contracts are reasonably well architected — but perhaps you can catch something we missed, and we’ll pay handsomely if you do — up to $5000 USD worth of Ethereum or WYV tokens (at your option)!

Audit Scope

We’re deploying the Exchange in two stages. The first stage was the deployment of the WYV token (converted from an existing blockchain, not an ICO) and the Wyvern DAO. That has already been completed. This bounty program is just for the second stage: the deployment of the first version of the Wyvern Protocol (later upgradable by the Wyvern DAO) and the launch of the first frontend using the protocol, the Wyvern Exchange.

All relevant smart contracts are in the wyvern-ethereum Git repository. Any issues present in Git commit 060314 are valid submissions. Please see the detailed audit specification on Github. All smart contracts not listed in the audit specification (in particular, smart contracts relating to the WYV token and the Wyvern DAO, which have already been deployed) are not within the scope of this audit.

Bug Submission & Rewards

Bugs should be reported as issues to the wyvern-ethereum Git repository. Please make it clear that your issue is a submission to this bounty program. Bug submissions are subject to the following rules:

This bounty program will run from the publication of this post to Saturday, February 10th, 2018 at 06:00 UTC. No submissions after that date will be accepted.

Duplicate submissions are not allowed; only the first submission will be paid.

The Project Wyvern website or DApps are not part of this bounty program.

Project Wyvern team members are ineligible for bug bounty submissions.

In parallel with this public audit, Project Wyvern is running a closed audit through Solidified. If you have access to both platforms, you may submit a particular bug for consideration on only one. We will cross-post to avoid duplicates.

The value of the reward paid out will depend on severity, calculated according to the OWASP guidelines:

Rewards are denominated in USD and will be paid in Ether or WYV tokens, at your option, using fair exchange rates at the time of payment:

Critical: Up to $5000

High: Up to $1000

Medium: Up to $500

Low: Up to $100

Note: Up to $50

Examples of risk severity:

Critical: An arbitrary user being able to create and execute a valid order to sell an asset owned by another user’s proxy contract.

High: An order with particular properties being matchable twice.

Medium: Integer overflow / underflow bugs leading to incorrect order pricing.

Low / Note: Misleading or inconsistent documentation likely to lead to user confusion, non-negligible gas optimizations which do not change functionality.

Exact reward amounts are solely at the discretion of the Project Wyvern team; however:

We promise to respond within 24 hours to all bug submissions.

We promise to let you know whether your submission qualifies for a bounty or not within 24 hours of bug finalization (when you’ve answered any questions we had about the submission).

We promise to pay out all rewards within 72 hours of bug confirmation.

Happy hunting!

— The Project Wyvern Team