The STON.fi Bug Bounty program is focused around our smart contracts with a primary interest in the prevention of loss of user funds.
| Level of vulnerability | Amount |
|---|---|
| Critical | Up to 20.000 TON |
| High | 2.000 TON |
| Medium | 1.000 TON |
These rewards may be increased in the future.
Currently the scope of program only includes contracts v1.0.0, the same ones that are used by DEX in the mainnet. The scope might be extended with other versions in the future.
The contracts version may be updated in the future.
Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
| Type | Level |
|---|---|
| Direct theft of any user funds | Critical |
| Permanent freezing of funds | Critical |
| Protocol insolvency | Critical |
| Theft of unclaimed yield | High |
| Freeze ability of other users to trade | High |
| Temporary freezing of funds | High |
| Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) | Medium |
The following activities are prohibited by this Bug Bounty program:
- Any testing with mainnet.
- Any testing with pricing oracles or third party Smart Contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Automated testing of services that generates significant amounts of traffic
- Any denial of service attacks
All testing should be done on testnet. We specifically deployed smart contracts on the testnet.
Router address - EQBsGx9ArADUrREB34W-ghgsCgBShvfUr4Jvlu-0KGc33Rbt. Also you can see on tonscan.
And please see dex-core repo.
The following issues are excluded from the rewards for this Bug Bounty program:
- Lack of liquidity
- Best practice critiques
- Centralization risks
- Issues with information about user balances
- Cases with disguising one asset with another asset
- Issues with precision when providing liquidity: e.g. in certain case, if you provide liquidity and after that you directly burn it, you may receive a bit less of one jetton and a bit more of the other one
- Any kind of optimization/logic improvements/coding style improvements
- Wrong opcode in onchain getter call getter_lp_account_address (in 1.0.0 version)
- Issues related to lp jetton wallets
- Issues related to contract deletion caused by inability to pay rent
- Issues related to gas optimisation
- Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.
- Possible loss of funds when attempting to perform a swap in non-initialized pool (before successful provideLP)
Experts involved in the evaluation of the reports:
- Vyacheslav Baranov (STON.fi team)
- Dario Tarantini (STON.fi team)
- Narek Abovyan (Head of TonTech)
- krigga (TonTech developer)
All bug reports must include a Proof of Concept demonstrating how the vulnerability can be exploited to be eligible for a reward. This may be a Smart Contract itself or a transaction. Only the reports that meet the requirements will be considered by the experts.
Please send reports to security@ston.fi
By submitting a vulnerability report you indicate your agreement to the Terms of participation.