Help us find bugs on YOLO’s code and win $KNC

Overview

YOLO is about to go live on mainnet next month and we are starting a bug bounty program for the exchange smart contracts. In short, find bugs in YOLO smart contracts and win rewards.

Show me the code

The smart contracts are available here in bug_bounty branch. The smart contracts specification and security assumption is also available here.

Major bugs find will be rewarded up to total of $10,000 (in KNC). Higher rewards will be considered in case of very severe vulnerabilities.

Rules

Most of the rules on https://bounty.ethereum.org apply in our bounty program:

First come, first serve

Issues that have already been submitted by another user or are already known to the YOLO team are not eligible for bounty rewards

Public disclosure of a vulnerability makes it ineligible for a bounty

Paid auditor(s) of this code is(are) not eligible for rewards

Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the YOLO team.

Scope

The scope of the smart contracts bug bounty is limited to files in the bug_bounty/contracts directory excluding Mock sub-directory. Moreover, the current scope of the bug bounty covers only bugs that either:

Put user funds at risk (excluding cpu and bandwidth stake); or Give unauthorized accounts (i.e., accounts that are neither admin nor account owner) the option to steal reserve funds.

We formally define lost of user funds as an exchange operation in which user received effective worse conversion rate than the one he or she specified. Rounding errors of only few token units are neglected for the purpose of this bug bounty.

Severity

For Bugs Related To User funds

Critical — Bugs that can cause user to loose funds which cannot be recovered by YOLO Network and/or YOLO reserve are of critical severity.

Bugs that can cause user to loose funds which cannot be recovered by YOLO Network and/or YOLO reserve are of critical severity. High — Bugs that cause user to lose funds under the assumption that reserve manager could be dishonest and even malicious are of high severity.

Bugs that cause user to lose funds under the assumption that reserve manager could be dishonest and even malicious are of high severity. Medium — Bugs that cause user to lose funds in an EOS to token (or vice versa) conversion in network contract, even under the assumption that network admin is malicious, are of medium severity. These do not include changing the network code, or using a non trusted token code.

Bugs that cause user to lose funds in an EOS to token (or vice versa) conversion in network contract, even under the assumption that network admin is malicious, are of medium severity. These do not include changing the network code, or using a non trusted token code. Low — Bugs that may cause lose of user funds due to any existing reputabletoken code are of low severity.

For Bugs Related to Reserve

Critical — Bugs that allow stealing unbounded amount of funds from reserve within a single transaction are of critical severity.

Bugs that allow stealing unbounded amount of funds from reserve within a single transaction are of critical severity. High — Bugs that allow stealing funds from reserve with an unauthorized account are of high severity.

Bugs that allow stealing funds from reserve with an unauthorized account are of high severity. Low — Bugs that allow network admin to steal reserve funds are currently of low severity.

Examples for bugs which are still not covered in the program are denial of service bugs which prevent YOLO Network or YOLO Reserve from providing an exchange service.

Compensation

The value of rewards will vary depending on Severity. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:

Note: Up to $25 in KNC

Low: Up to $300 in KNC

Medium: Up to $1,000 in KNC

High: Up to $3,000 in KNC

Critical: Up to $10,000 in KNC.

The quality of submission will also affect the compensation. A high quality submission would consist of:

An explanation of how the bug can be reproduced

A failing test case

A fix that makes the test case pass.

High quality submissions may be awarded amounts higher than the amounts specified above.

We request that you please give us reasonable amount of time to reply to your inquiry, and that you do not exploit any vulnerability you discover.

Contact

Please direct your submissions to hello@yoloswap.com. We also welcome anonymous submissions.