From 15784ecd2be97d17c50f297b7b589f71ad4145f0 Mon Sep 17 00:00:00 2001 From: silas <95582913+silas-x@users.noreply.github.com> Date: Wed, 4 Jan 2023 18:13:29 +0000 Subject: [PATCH] add security policy and on-chain metadata (#361) * add security-txt macro * minor fmt fix --- Cargo.lock | 19 +++++++++++++++++++ SECURITY.md | 31 +++++++++++++++++++++++++++++++ programs/mango-v4/Cargo.toml | 2 ++ programs/mango-v4/src/lib.rs | 14 ++++++++++++++ 4 files changed, 66 insertions(+) create mode 100644 SECURITY.md diff --git a/Cargo.lock b/Cargo.lock index 5edfe6dc8..377c7f76a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1452,6 +1452,17 @@ version = "2.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb" +[[package]] +name = "default-env" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f753eb82d29277e79efc625e84aecacfd4851ee50e05a8573a4740239a77bfd3" +dependencies = [ + "proc-macro2 0.4.30", + "quote 0.6.13", + "syn 0.15.44", +] + [[package]] name = "der" version = "0.5.1" @@ -3121,6 +3132,7 @@ dependencies = [ "borsh", "bytemuck", "checked_math", + "default-env", "derivative", "env_logger 0.9.3", "fixed", @@ -3139,6 +3151,7 @@ dependencies = [ "solana-program", "solana-program-test", "solana-sdk", + "solana-security-txt", "spl-associated-token-account", "spl-token", "static_assertions", @@ -6214,6 +6227,12 @@ dependencies = [ "syn 1.0.105", ] +[[package]] +name = "solana-security-txt" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7e0461f3afb29d8591300b3dd09b5472b3772d65688a2826ad960b8c0d5fa605" + [[package]] name = "solana-send-transaction-service" version = "1.14.10" diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..7d1b8a132 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Important Notice +Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to hello@blockworks.foundation with a detailed description of the attack vector and security risk you have identified. + +# Bug Bounty Overview +Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted. + +|Severity|Description|Bug Bounty| +|-----------|--------------|-------------| +|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000| +|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis| +|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis| + +The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/). +Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis. + +## Submission +Please email hello@blockworks.foundation with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty. + +## Bug Bounty Payment +Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far. + +## Invalid Bug Bounties +The following are out of scope for the bug bounty: +1. Attacks that the reporter has already exploited themselves, leading to damage. +2. Attacks requiring access to leaked keys/credentials. +3. Attacks requiring access to privileged addresses (governance, admin). +4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks). +5. Lack of liquidity. +6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts). +7. Best practice critiques. +8. Sybil attacks. \ No newline at end of file diff --git a/programs/mango-v4/Cargo.toml b/programs/mango-v4/Cargo.toml index 5dccb6fc0..afe893f93 100644 --- a/programs/mango-v4/Cargo.toml +++ b/programs/mango-v4/Cargo.toml @@ -28,6 +28,7 @@ bincode = "1.3.3" borsh = { version = "0.9.3", features = ["const-generics"] } bytemuck = { version = "^1.7.2", features = ["min_const_generics"] } checked_math = { path = "../../lib/checked_math" } +default-env = "0.1.1" derivative = "2.2.0" fixed = { version = "=1.11.0", features = ["serde", "borsh"] } # todo: higher versions don't work fixed-macro = "^1.1.1" @@ -38,6 +39,7 @@ serum_dex = { version = "0.5.6", git = "https://github.com/blockworks-foundation solana-address-lookup-table-program = "~1.14.9" solana-program = "~1.14.9" solana-sdk = { version = "~1.14.9", default-features = false, optional = true } +solana-security-txt = "1.1.0" static_assertions = "1.1" switchboard-program = ">=0.2.0" switchboard-v2 = "0.1.17" diff --git a/programs/mango-v4/src/lib.rs b/programs/mango-v4/src/lib.rs index 1a359c5cd..ae22b0e86 100644 --- a/programs/mango-v4/src/lib.rs +++ b/programs/mango-v4/src/lib.rs @@ -760,3 +760,17 @@ impl anchor_lang::Id for Mango { ID } } + +#[cfg(not(feature = "no-entrypoint"))] +use {default_env::default_env, solana_security_txt::security_txt}; +#[cfg(not(feature = "no-entrypoint"))] +security_txt! { + name: "Mango v4", + project_url: "https://mango.markets", + contacts: "email:hello@blockworks.foundation,link:https://docs.mango.markets/mango-markets/bug-bounty,discord:https://discord.gg/mangomarkets", + policy: "https://github.com/blockworks-foundation/mango-v4/blob/main/SECURITY.md", + preferred_languages: "en", + source_code: "https://github.com/blockworks-foundation/mango-v4", + source_revision: default_env!("GITHUB_SHA", "Unknown source revision"), + source_release: default_env!("GITHUB_REF_NAME", "Unknown source release") +}