Announcing the first Gnosis Protocol Bug Bounty

Find the bugs, get rewarded. Earn up to $50,000 for every bug you report.

No actual bugs were harmed in the posting of this bounty.

Gnosis Protocol is a fully permissionless DEX (decentralized trading protocol) that enables a new mechanism called ring trades to maximize liquidity. Ring trades especially improve liquidity for illiquid or “long tail” tokens such as prediction market outcome tokens, by facilitating trades not normally possible on traditional trading protocols.

Gnosis Protocol has been through several phases of research, testing, and recently, a successful external audit.

Until now, we have not greatly publicized Gnosis Protocol, focusing instead on research and development of the smart contracts implementation. We are now approaching an initial public product launch, and we want to be sure as always to follow security best practices by opening a public bug bounty program for up to $50,000.

For some background information, consider reading this high-level summary, which also describes the motivation behind building the Gnosis Protocol. Our documentation for developers is in progress, but we hope to have it available in a few weeks.

Please refer to this documentation for the technical specification of the intended behavior.

Audit Report

The contracts have been carefully audited by smart contract security experts Nick Munoz-McDonald and Adam Kolář. The audit report can be found here.

Bug Bounty Program

We are happy to announce the bug bounty program for the Gnosis Protocol in preparation for its initial public launch. You can earn up to $50,000 for every bug you report.

The Rules

Many of the Ethereum Foundation’s bug bounty program rules are also applicable for the Gnosis Protocol bug bounty program:

Issues that have already been submitted by another user or are already known to the Gnosis team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

The Gnosis core development team, employees, and all other people paid by Gnosis, directly or indirectly (including the external auditors), are not eligible for rewards.

The Gnosis Protocol bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the Gnosis Protocol bug bounty panel.

The Scope

The scope of our bug bounty program includes core contracts related to release v0.2.0.

In scope:

The BatchExchange allows users to manage their orders (placing and cancelling orders). It supports the market matching mechanism by verifying and optimistically applying the current best settlement information for each batch auction.

The EpochTokenLocker has the task of managing all deposits, balance updates, and withdraws for the protocol.

Examples of what’s in scope for the bug bounty include, being able to:

Steal funds from other users or the trading protocol contracts

Freeze funds or render them inaccessible to their owners

Perform other users’ actions on their behalf

Submit invalid solutions

Submit valid but at least 1% inferior solutions (i.e., when there is already a more optimal solution of the batch)

Add or trade tokens that are not ERC20 compliant

Extract fees from the protocol or prevent the successful solver from receiving the fees

Prevent the fee burning mechanism

Manipulate or change the fee amount or fee token

Meddle with the order settlement as proposed by a successful solution

Interfere with the batch auction cycle or the smart contracts’ mapping behavior

Out of scope:

Any files, modules, or libraries other than the ones linked to above

Migration methods

More efficient gas solutions

Any points listed as already known weaknesses in the Gnosis Protocol documentation

Any points listed in the audit report

Any points of “unfairness” (in a broadly defined sense) regarding the objective value defined for solvers’ optimization

Any issues relating to networks other than the Ethereum Mainnet

Intended behavior

Please refer to the documentation for an extensive overview of the intended behavior of the smart contracts.

Smart contract

The Gnosis Protocol smart contract is launched here on Ethereum Mainnet.

Compensation

Any bugs — they do not need to necessarily lead to a redeploy — will be considered for a bounty, but the severity of the threat will determine the reward. Below are the reward levels for each threat severity along with an example of such a threat.

High threat: up to $50,000

An identified attack that could steal funds or tokens, or lock users’ funds would be considered a high threat.

An identified attack that would interfere with the settlement of a valid

solution, or change any of the parameters included in a valid solution.

solution, or change any of the parameters included in a valid solution. An identified attack or user behavior that enables trades that should not be possible.

Likewise, a reported bug that, on its own, leads to a redeploy of the code will always be considered a high threat.

Medium threat: up to $10,000

An identified attack that interferes with the fee calculation, fee token, fee transfer, or burning of the fee token.

An identified attack that interferes with the batch auction cycle or the smart contracts’ mapping behavior.

Low threat: up to $2,000

An identified attack that allows fee avoidance on trades.

Adding non-ERC20 tokens.

Adding non-ERC20 tokens. We also consider any spamming behavior of the system a low threat.

All bounties will be paid in ETH.

Please note that the submission’s quality will factor into the level of compensation. A high-quality submission includes an explanation of how the bug can be reproduced, a failing test case, a valid scenario in which the bug can be exploited, and a fix that makes the test case pass. High-quality submissions may be awarded amounts higher than the amounts specified above.

Submission Process

Please email your submissions to: bounty@gnosis.io.

Don’t forget to include your ETH address, so that you may be rewarded. If more than one address is specified, only one will be used at the discretion of the bounty program administrators. Anonymous submissions are welcome, too.

Please consult our Privacy Policy for further details on how we handle submissions.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.

We ask that:

You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.

You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.

You do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as an attempted compromise of sensitive company data or probing for additional issues.

You do not violate any other applicable laws or regulations.

Any questions? Reach us via email (bounty@gnosis.io).

Happy hunting!

🔔 To get future updates, make sure to follow Gnosis on Twitter.