Reward Amounts

Critical

• $150000 maximum payout

• Payout shall not exceed 10% of funds at risk at time of submission

Severity Criteria

Critical Definition

• Definite and significant loss of funds without limitations of external conditions
• Definite and significant freezing of funds for >1 year without limitations of external conditions

General Notes

• Sherlock’s Criteria for Issue Validity guide (used in Sherlock audit contests) can be a helpful resource for more context on out-of-scope issues, etc. but nothing in the guide should overrule the definitions above
• A coded Proof of Concept (POC) with instructions to run the POC is required
• If the protocol team has the ability to take measures (upgrade the contract, pause the contract, etc.) against an exploit, the potential damage is limited to a 1-hour exploit period before it is assumed that the protocol team takes measures to prevent further damage
• Only the first occurrence of a repeatable attack will be eligible for a payout. This rule applies regardless of the smart contract's upgradability, pausable state, or ability to be terminated.

Platform Rules

Please review the Sherlock Bug Bounty Platform Rules before submitting any vulnerability.

Previous Audits

• Sherlock 2024.12.30
• Sherlock 2024.12.05
• Sherlock 2024.11.02

Additional Context

Chains in scope

• Base

Expected tokens

• We are not integrating ANY tokens. We will only be handling native Ethereum.

Trusted protocol roles

• Protocol Owner is trusted.
• Admin is trusted.
• Graduate_Withdraw contracts will also be deployed by and owned by Ethos and trusted.

Protocol Invariants

Reputation Market:

• Cannot remove all market configs (must keep at least 1)

• Base price must be >= MINIMUM_BASE_PRICE (0.0001 ether)

• Must maintain LMSR invariant (yes + no price sum to 1)

• A user cannot sell more votes than they own

• A graduated market cannot accept new trades or be recreated.

• Total contract balance must be greater or equal to all active (non-graduated) market funds

Offchain mechanisms and procedures

There are no off-chain mechanisms involved in the Reputation Market protocol. We do not use the information in Reputation Markets to impact Ethos credibility scores.

Protocol Resources

• whitepaper: https://whitepaper.ethos.network

• website: https://ethos.network

• testnet app: https://dev.ethos.markets