SEP-001 - Vault contract community audit and bug bounty

Hey guys,

The vault contract has passed our internal QA and has been published to our GitHub at the following repo:

We encourage everyone to try and break it as we have a community bug bounty program which can be reviewed here. :smiley:

Obviously our goal here is to prevent exploits and therefore asking our community to take part of

What to test?

  • Withdrawing of tokens
    • Without being the owner of the vault
    • Requesting the withdraw function with unavailable tokens
  • Setting owner of contract after its already been set
  • Ensure release schedule is attached to proper curve and y_0, i, t parameters
  • Ensure balances are accurate after withdraw is called
  • Ensure setTkn address can only be called once by auth

Deployment Instructions:

If deploying using Remix, remove importing hardhat which is on line 9: import "hardhat/console.sol";
Once deployed, the deployer will have to set the token contract address to track using setTkn function (in this case SDEX) and then set the owner of the contract using the setOwner function. This owner will be able to withdraw tokens from the vault as time progresses.

You can deploy a mock-up SDEX token to deposit tokens into the vault using the SDEX.sol file in the repo.

Vault Contract deployed on AVAX fuji testnet:

Smart Contract Logic:

Enhancement Identifier: SEP-001

5 Likes

Whoa the Vault smart contract is crazy logic!

1 Like

Yeah - It’s looking pretty good but I’m going to bust it wide open! I love bug bounties - Thanks @peter

Hi guys
The vault concept is excellent, reminds me oc those ‘secretive’ Swiss bank accounts. In saying that, the level/s of security has to be paramount. Confirming the ‘owner’ in todays ‘hacker’ world would be 1st priority before accessability to the owners funds.
Thinking along the lines of a very tight Swiss bank may i Propose a 3 layer protection system whilst still following the algorythm as proposed.
Layer 1 - email verification code
Layer 2 - mobile/cell phone verification code
Layer 3 - private vault key code (system generated similar to google authenticator)
If any layer fail system is locked and follows the flow chart.
Just some initial thoughts.

1 Like

Wish I knew how to audit code :joy:

This is a good suggestion, I took a look at the code and I wasn’t able to really find anything. I’ll keep trying to hack it thought because I could use the star monies

Smart contract logic is pretty dynamic I am a big fan of this .Don’t think I’ll attempt a bounty doesn’t seem like there will be an opportunity to crack