Bug Bounty

Bug Bounty Program

The bug bounty program is hosted on Immunefi.

All submissions must follow Immuenfi and program rules.

Out-of-scope

In addition to Immunefi scope rules, the following are considered out-of-scope:

• everything noted in this document set (e.g., Risks and Limitations)

• everything noted in audit reports

• everything noted in QA reports [link forthcoming]

• user error; i.e., inadequate inputs or config, lack of mechanism understanding, etc (see below)

Examples of out-of-scope "user error"

Onyx is designed for flexibility of different setups and administrative needs. The admin role is often tasked with ensuring fairness, avoidance of denial-of-service (DoS) and similar ill effects, executing steps in order, and otherwise following manual processes to achieve desired results (e.g., Epochs).

Example: deposit and redeem handler DoS due to request cancelations

Some deposit and redeem handlers (e.g., ERC7540LikeDepositQueue and ERC7540LikeRedeemQueue) use a minRequestDuration, where a request is cancelable after minRequestDuration has elapsed.

As long as minRequestDuration is always set adequately (i.e., greater than the maximum time between batches), there will never be a cancelation DoS opportunity.

Example: deposit and redeem handler DoS due to small amounts that round to 0 shares

admin has full control to omit requests with amounts that are considered too small.

Example: share price staleness/fairness/etc during deposit or redemption

admin has full control over the price at which deposits and redemptions are executed, and it must be part of their process to validate that the currently-set share price is adequate for any action according to their needs.

Example: failure to initialize contract

Contracts are always expected to be properly-initialized, and all proxies are always deployed with their init data bundled into the same call.