add security policy and on-chain metadata (#361)
* add security-txt macro * minor fmt fix
This commit is contained in:
parent
5019864b84
commit
15784ecd2b
|
@ -1452,6 +1452,17 @@ version = "2.3.3"
|
|||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"
|
||||
|
||||
[[package]]
|
||||
name = "default-env"
|
||||
version = "0.1.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f753eb82d29277e79efc625e84aecacfd4851ee50e05a8573a4740239a77bfd3"
|
||||
dependencies = [
|
||||
"proc-macro2 0.4.30",
|
||||
"quote 0.6.13",
|
||||
"syn 0.15.44",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "der"
|
||||
version = "0.5.1"
|
||||
|
@ -3121,6 +3132,7 @@ dependencies = [
|
|||
"borsh",
|
||||
"bytemuck",
|
||||
"checked_math",
|
||||
"default-env",
|
||||
"derivative",
|
||||
"env_logger 0.9.3",
|
||||
"fixed",
|
||||
|
@ -3139,6 +3151,7 @@ dependencies = [
|
|||
"solana-program",
|
||||
"solana-program-test",
|
||||
"solana-sdk",
|
||||
"solana-security-txt",
|
||||
"spl-associated-token-account",
|
||||
"spl-token",
|
||||
"static_assertions",
|
||||
|
@ -6214,6 +6227,12 @@ dependencies = [
|
|||
"syn 1.0.105",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "solana-security-txt"
|
||||
version = "1.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7e0461f3afb29d8591300b3dd09b5472b3772d65688a2826ad960b8c0d5fa605"
|
||||
|
||||
[[package]]
|
||||
name = "solana-send-transaction-service"
|
||||
version = "1.14.10"
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
# Important Notice
|
||||
Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to hello@blockworks.foundation with a detailed description of the attack vector and security risk you have identified.
|
||||
|
||||
# Bug Bounty Overview
|
||||
Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.
|
||||
|
||||
|Severity|Description|Bug Bounty|
|
||||
|-----------|--------------|-------------|
|
||||
|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000|
|
||||
|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis|
|
||||
|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis|
|
||||
|
||||
The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/).
|
||||
Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
|
||||
|
||||
## Submission
|
||||
Please email hello@blockworks.foundation with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.
|
||||
|
||||
## Bug Bounty Payment
|
||||
Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.
|
||||
|
||||
## Invalid Bug Bounties
|
||||
The following are out of scope for the bug bounty:
|
||||
1. Attacks that the reporter has already exploited themselves, leading to damage.
|
||||
2. Attacks requiring access to leaked keys/credentials.
|
||||
3. Attacks requiring access to privileged addresses (governance, admin).
|
||||
4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
|
||||
5. Lack of liquidity.
|
||||
6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
|
||||
7. Best practice critiques.
|
||||
8. Sybil attacks.
|
|
@ -28,6 +28,7 @@ bincode = "1.3.3"
|
|||
borsh = { version = "0.9.3", features = ["const-generics"] }
|
||||
bytemuck = { version = "^1.7.2", features = ["min_const_generics"] }
|
||||
checked_math = { path = "../../lib/checked_math" }
|
||||
default-env = "0.1.1"
|
||||
derivative = "2.2.0"
|
||||
fixed = { version = "=1.11.0", features = ["serde", "borsh"] } # todo: higher versions don't work
|
||||
fixed-macro = "^1.1.1"
|
||||
|
@ -38,6 +39,7 @@ serum_dex = { version = "0.5.6", git = "https://github.com/blockworks-foundation
|
|||
solana-address-lookup-table-program = "~1.14.9"
|
||||
solana-program = "~1.14.9"
|
||||
solana-sdk = { version = "~1.14.9", default-features = false, optional = true }
|
||||
solana-security-txt = "1.1.0"
|
||||
static_assertions = "1.1"
|
||||
switchboard-program = ">=0.2.0"
|
||||
switchboard-v2 = "0.1.17"
|
||||
|
|
|
@ -760,3 +760,17 @@ impl anchor_lang::Id for Mango {
|
|||
ID
|
||||
}
|
||||
}
|
||||
|
||||
#[cfg(not(feature = "no-entrypoint"))]
|
||||
use {default_env::default_env, solana_security_txt::security_txt};
|
||||
#[cfg(not(feature = "no-entrypoint"))]
|
||||
security_txt! {
|
||||
name: "Mango v4",
|
||||
project_url: "https://mango.markets",
|
||||
contacts: "email:hello@blockworks.foundation,link:https://docs.mango.markets/mango-markets/bug-bounty,discord:https://discord.gg/mangomarkets",
|
||||
policy: "https://github.com/blockworks-foundation/mango-v4/blob/main/SECURITY.md",
|
||||
preferred_languages: "en",
|
||||
source_code: "https://github.com/blockworks-foundation/mango-v4",
|
||||
source_revision: default_env!("GITHUB_SHA", "Unknown source revision"),
|
||||
source_release: default_env!("GITHUB_REF_NAME", "Unknown source release")
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue