Reward Amounts

Critical

• $500,000 maximum payout
• $25,000 minimum payout
• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
• A coded Proof of Concept (POC) with instructions to run the POC is required
• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage
• Only the first occurrence of a repeatable attack will be eligible for a payout. This rule applies regardless of the smart contract's upgradability, pausable state, or ability to be terminated.

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

KYC Requirement

To receive a reward from this Bug Bounty, the provision of KYC is required. The following information is only required on confirmation of the validity of a submission:

• Name
• Government ID
• Country of Residence

Known Issues and Acceptable Risks

• Market coordinators can do many things within their markets which could adversely affect user funds within those markets. However, they should not be able to affect other markets
• Flywheel being down due to external downtime - sequencer downtime does not have special case handling. Perennial also does not provide grace periods for users to cure their positions when these systems do come back up.

Previous Audits

• Zellic
• https://audits.sherlock.xyz/contests/254
• https://audits.sherlock.xyz/contests/123
• https://audits.sherlock.xyz/contests/112
• https://audits.sherlock.xyz/contests/106
• https://audits.sherlock.xyz/contests/79

Additional Context

Chains in scope

• Arbitrum
• Base
• Other EVM L2s are eligible but only Optimism Chains and Arbitrum are currently supported for gas pricing

Expected tokens

• DSU
• USDC (Both USDC/USDC.e on Arbitrum, native USDC on other chains)

Trusted integrations

• DSU token
• Pyth network oracle (or other oracle providers)

Trusted protocol roles

• Protocol admin.
• Markets have Coordinators which can update parameters for that specific market - these coordinators have a large amount of flexibility within their own market but should not be able to adversely affect other markets or the overall protocol.

Offchain mechanisms and procedures

• There are keepers for oracle updates + settlements, liquidations, and order types

Protocol Resources

• Migration
• V2 Docs
• V2 Mechanism 1-pager