add security policy and on-chain metadata (#361)

* add security-txt macro * minor fmt fix
2023-01-04 18:13:29 +00:00 · 2023-01-04 18:13:29 +00:00 · 15784ecd2b
parent 5019864b84
commit 15784ecd2b
4 changed files with 66 additions and 0 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1452,6 +1452,17 @@ version = "2.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "23d8666cb01533c39dde32bcbab8e227b4ed6679b2c925eba05feabea39508fb"

+[[package]]
+name = "default-env"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f753eb82d29277e79efc625e84aecacfd4851ee50e05a8573a4740239a77bfd3"
+dependencies = [
+ "proc-macro2 0.4.30",
+ "quote 0.6.13",
+ "syn 0.15.44",
+]
+
 [[package]]
 name = "der"
 version = "0.5.1"
@ -3121,6 +3132,7 @@ dependencies = [
 "borsh",
 "bytemuck",
 "checked_math",
+ "default-env",
 "derivative",
 "env_logger 0.9.3",
 "fixed",
@ -3139,6 +3151,7 @@ dependencies = [
 "solana-program",
 "solana-program-test",
 "solana-sdk",
+ "solana-security-txt",
 "spl-associated-token-account",
 "spl-token",
 "static_assertions",
@ -6214,6 +6227,12 @@ dependencies = [
 "syn 1.0.105",
 ]

+[[package]]
+name = "solana-security-txt"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7e0461f3afb29d8591300b3dd09b5472b3772d65688a2826ad960b8c0d5fa605"
+
 [[package]]
 name = "solana-send-transaction-service"
 version = "1.14.10"
--- a/SECURITY.md
+++ b/SECURITY.md
@ -0,0 +1,31 @@
+# Important Notice
+Please **DO NOT** create a GitHub issue to report a security problem. Instead, please send an email to hello@blockworks.foundation with a detailed description of the attack vector and security risk you have identified.
+
+# Bug Bounty Overview
+Mango Markets offers bug bounties for Mango Markets' on-chain program code; UI only bugs are omitted.
+
+|Severity|Description|Bug Bounty|
+|-----------|--------------|-------------|
+|Critical|Bugs that freeze user funds or drain the contract's holdings or involve theft of funds without user signatures|10% of the value of the hack up to $1,000,000|
+|High|Bugs that could temporarily freeze user funds or incorrectly assign value to user funds|$10,000 to $50,000 per bug, assessed on a case by case basis|
+|Medium/Low|Bugs that don't threaten user funds|$1,000 to $5,000 per bug, assessed on a case by case basis|
+
+The severity guidelines are based on [Immunefi's classification system](https://immunefi.com/severity-updated/). 
+Note that these are simply guidelines for the severity of the bugs. Each bug bounty submission will be evaluated on a case-by-case basis.
+
+## Submission
+Please email hello@blockworks.foundation with a detailed description of the attack vector. For critical and moderate bugs, we require a proof of concept done on a privately deployed mainnet contract. We will reach out in 1 business day with additional questions or next steps on the bug bounty.
+
+## Bug Bounty Payment
+Bug bounties will be paid in USDC or locked MNGO, after a DAO vote. The Mango DAO has never refused a valid bug bounty so far.
+
+## Invalid Bug Bounties
+The following are out of scope for the bug bounty:
+1. Attacks that the reporter has already exploited themselves, leading to damage.
+2. Attacks requiring access to leaked keys/credentials.
+3. Attacks requiring access to privileged addresses (governance, admin).
+4. Incorrect data supplied by third party oracles (this does not exclude oracle manipulation/flash loan attacks).
+5. Lack of liquidity.
+6. Third party, off-chain bot errors (for instance bugs with an arbitrage bot running on the smart contracts).
+7. Best practice critiques.
+8. Sybil attacks.
--- a/programs/mango-v4/Cargo.toml
+++ b/programs/mango-v4/Cargo.toml
@ -28,6 +28,7 @@ bincode = "1.3.3"
 borsh = { version = "0.9.3", features = ["const-generics"] }
 bytemuck = { version = "^1.7.2", features = ["min_const_generics"] }
 checked_math = { path = "../../lib/checked_math" }
+default-env = "0.1.1"
 derivative = "2.2.0"
 fixed = { version = "=1.11.0", features = ["serde", "borsh"] } # todo: higher versions don't work
 fixed-macro = "^1.1.1"
@ -38,6 +39,7 @@ serum_dex = { version = "0.5.6", git = "https://github.com/blockworks-foundation
 solana-address-lookup-table-program = "~1.14.9"
 solana-program = "~1.14.9"
 solana-sdk = { version = "~1.14.9", default-features = false, optional = true }
+solana-security-txt = "1.1.0"
 static_assertions = "1.1"
 switchboard-program = ">=0.2.0"
 switchboard-v2 = "0.1.17"
--- a/programs/mango-v4/src/lib.rs
+++ b/programs/mango-v4/src/lib.rs
@ -760,3 +760,17 @@ impl anchor_lang::Id for Mango {
        ID
    }
 }
+
+#[cfg(not(feature = "no-entrypoint"))]
+use {default_env::default_env, solana_security_txt::security_txt};
+#[cfg(not(feature = "no-entrypoint"))]
+security_txt! {
+    name: "Mango v4",
+    project_url: "https://mango.markets",
+    contacts: "email:hello@blockworks.foundation,link:https://docs.mango.markets/mango-markets/bug-bounty,discord:https://discord.gg/mangomarkets",
+    policy: "https://github.com/blockworks-foundation/mango-v4/blob/main/SECURITY.md",
+    preferred_languages: "en",
+    source_code: "https://github.com/blockworks-foundation/mango-v4",
+    source_revision: default_env!("GITHUB_SHA", "Unknown source revision"),
+    source_release: default_env!("GITHUB_REF_NAME", "Unknown source release")
+}