add security policy and on-chain metadata (#361)
* add security-txt macro * minor fmt fix
This commit is contained in:
parent
5019864b84
commit
15784ecd2b
|
@ -1452,6 +1452,17 @@ version = "2.3.3"
|
||||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
|
checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "default-env"
|
||||||
|
version = "0.1.1"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
checksum = "f753eb82d29277e79efc625e84aecacfd4851ee50e05a8573a4740239a77bfd3"
|
||||||
|
dependencies = [
|
||||||
|
"proc-macro2 0.4.30",
|
||||||
|
"quote 0.6.13",
|
||||||
|
"syn 0.15.44",
|
||||||
|
]
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "der"
|
name = "der"
|
||||||
version = "0.5.1"
|
version = "0.5.1"
|
||||||
|
@ -3121,6 +3132,7 @@ dependencies = [
|
||||||
"borsh",
|
"borsh",
|
||||||
"bytemuck",
|
"bytemuck",
|
||||||
"checked_math",
|
"checked_math",
|
||||||
|
"default-env",
|
||||||
"derivative",
|
"derivative",
|
||||||
"env_logger 0.9.3",
|
"env_logger 0.9.3",
|
||||||
"fixed",
|
"fixed",
|
||||||
|
@ -3139,6 +3151,7 @@ dependencies = [
|
||||||
"solana-program",
|
"solana-program",
|
||||||
"solana-program-test",
|
"solana-program-test",
|
||||||
"solana-sdk",
|
"solana-sdk",
|
||||||
|
"solana-security-txt",
|
||||||
"spl-associated-token-account",
|
"spl-associated-token-account",
|
||||||
"spl-token",
|
"spl-token",
|
||||||
"static_assertions",
|
"static_assertions",
|
||||||
|
@ -6214,6 +6227,12 @@ dependencies = [
|
||||||
"syn 1.0.105",
|
"syn 1.0.105",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
[[package]]
|
||||||
|
name = "solana-security-txt"
|
||||||
|
version = "1.1.0"
|
||||||
|
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||||
|
checksum = "7e0461f3afb29d8591300b3dd09b5472b3772d65688a2826ad960b8c0d5fa605"
|
||||||
|
|
||||||
[[package]]
|
[[package]]
|
||||||
name = "solana-send-transaction-service"
|
name = "solana-send-transaction-service"
|
||||||
version = "1.14.10"
|
version = "1.14.10"
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Important Notice
|
||||||
|
Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to hello@blockworks.foundation with a detailed description of the attack vector and security risk you have identified.
|
||||||
|
|
||||||
|
# Bug Bounty Overview
|
||||||
|
Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.
|
||||||
|
|
||||||
|
|Severity|Description|Bug Bounty|
|
||||||
|
|-----------|--------------|-------------|
|
||||||
|
|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000|
|
||||||
|
|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis|
|
||||||
|
|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis|
|
||||||
|
|
||||||
|
The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/).
|
||||||
|
Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
|
||||||
|
|
||||||
|
## Submission
|
||||||
|
Please email hello@blockworks.foundation with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.
|
||||||
|
|
||||||
|
## Bug Bounty Payment
|
||||||
|
Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.
|
||||||
|
|
||||||
|
## Invalid Bug Bounties
|
||||||
|
The following are out of scope for the bug bounty:
|
||||||
|
1. Attacks that the reporter has already exploited themselves, leading to damage.
|
||||||
|
2. Attacks requiring access to leaked keys/credentials.
|
||||||
|
3. Attacks requiring access to privileged addresses (governance, admin).
|
||||||
|
4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
|
||||||
|
5. Lack of liquidity.
|
||||||
|
6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
|
||||||
|
7. Best practice critiques.
|
||||||
|
8. Sybil attacks.
|
|
@ -28,6 +28,7 @@ bincode = "1.3.3"
|
||||||
borsh = { version = "0.9.3", features = ["const-generics"] }
|
borsh = { version = "0.9.3", features = ["const-generics"] }
|
||||||
bytemuck = { version = "^1.7.2", features = ["min_const_generics"] }
|
bytemuck = { version = "^1.7.2", features = ["min_const_generics"] }
|
||||||
checked_math = { path = "../../lib/checked_math" }
|
checked_math = { path = "../../lib/checked_math" }
|
||||||
|
default-env = "0.1.1"
|
||||||
derivative = "2.2.0"
|
derivative = "2.2.0"
|
||||||
fixed = { version = "=1.11.0", features = ["serde", "borsh"] } # todo: higher versions don't work
|
fixed = { version = "=1.11.0", features = ["serde", "borsh"] } # todo: higher versions don't work
|
||||||
fixed-macro = "^1.1.1"
|
fixed-macro = "^1.1.1"
|
||||||
|
@ -38,6 +39,7 @@ serum_dex = { version = "0.5.6", git = "https://github.com/blockworks-foundation
|
||||||
solana-address-lookup-table-program = "~1.14.9"
|
solana-address-lookup-table-program = "~1.14.9"
|
||||||
solana-program = "~1.14.9"
|
solana-program = "~1.14.9"
|
||||||
solana-sdk = { version = "~1.14.9", default-features = false, optional = true }
|
solana-sdk = { version = "~1.14.9", default-features = false, optional = true }
|
||||||
|
solana-security-txt = "1.1.0"
|
||||||
static_assertions = "1.1"
|
static_assertions = "1.1"
|
||||||
switchboard-program = ">=0.2.0"
|
switchboard-program = ">=0.2.0"
|
||||||
switchboard-v2 = "0.1.17"
|
switchboard-v2 = "0.1.17"
|
||||||
|
|
|
@ -760,3 +760,17 @@ impl anchor_lang::Id for Mango {
|
||||||
ID
|
ID
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[cfg(not(feature = "no-entrypoint"))]
|
||||||
|
use {default_env::default_env, solana_security_txt::security_txt};
|
||||||
|
#[cfg(not(feature = "no-entrypoint"))]
|
||||||
|
security_txt! {
|
||||||
|
name: "Mango v4",
|
||||||
|
project_url: "https://mango.markets",
|
||||||
|
contacts: "email:hello@blockworks.foundation,link:https://docs.mango.markets/mango-markets/bug-bounty,discord:https://discord.gg/mangomarkets",
|
||||||
|
policy: "https://github.com/blockworks-foundation/mango-v4/blob/main/SECURITY.md",
|
||||||
|
preferred_languages: "en",
|
||||||
|
source_code: "https://github.com/blockworks-foundation/mango-v4",
|
||||||
|
source_revision: default_env!("GITHUB_SHA", "Unknown source revision"),
|
||||||
|
source_release: default_env!("GITHUB_REF_NAME", "Unknown source release")
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue