From 4a5a0c8c781ca18a406aa87c4a007a29ec972ac4 Mon Sep 17 00:00:00 2001 From: Amir Bandeali Date: Wed, 5 Sep 2018 11:37:37 -0700 Subject: Update README with directory structure and bug bounty --- packages/contracts/README.md | 72 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 66 insertions(+), 6 deletions(-) (limited to 'packages') diff --git a/packages/contracts/README.md b/packages/contracts/README.md index 2e6376f39..92de880a6 100644 --- a/packages/contracts/README.md +++ b/packages/contracts/README.md @@ -1,14 +1,74 @@ ## Contracts -Smart contracts that implement the 0x protocol. +Smart contracts that implement the 0x protocol. Addresses of the deployed contracts can be found [here](https://0xproject.com/wiki#Deployed-Addresses). ## Usage -* [Docs](https://0xproject.com/docs/contracts) -* [Overview of 0x protocol architecture](https://0xproject.com/wiki#Architecture) -* [0x smart contract interactions](https://0xproject.com/wiki#Contract-Interactions) -* [Deployed smart contract addresses](https://0xproject.com/wiki#Deployed-Addresses) -* [0x protocol message format](https://0xproject.com/wiki#Message-Format) +### 2.0.0 + +Contracts that make up and interact with version 2.0.0 of the protocol can be found in the `src/2.0.0` directory. The contents of this directory are broken down into the following subdirectories: + +* protocol + * This directory contains the contracts that make up version 2.0.0. A full specification can be found [here](https://github.com/0xProject/0x-protocol-specification/blob/master/v2/v2-specification.md). +* extensions + * This directory contains contracts that interact with the 2.0.0 contracts and will be used in production, such as the [Forwarder](https://github.com/0xProject/0x-protocol-specification/blob/master/v2/forwarder-specification.md) contract. +* examples + * This directory contains example implementations of contracts that interact with the protocol but are _not_ intended for use in production. Examples include [filter](https://github.com/0xProject/0x-protocol-specification/blob/master/v2/v2-specification.md#filter-contracts) contracts, a [Wallet](https://github.com/0xProject/0x-protocol-specification/blob/master/v2/v2-specification.md#wallet) contract, and a [Validator](https://github.com/0xProject/0x-protocol-specification/blob/master/v2/v2-specification.md#validator) contract, among others. +* tokens + * This directory contains implementations of different tokens and token standards, including [wETH](https://weth.io/), ZRX, [ERC20](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-20.md), and [ERC721](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-721.md). +* multisig + * This directory contains the [Gnosis MultiSigWallet](https://github.com/gnosis/MultiSigWallet) and a custom extension that adds a timelock to transactions within the MultiSigWallet. +* utils + * This directory contains libraries and utils that are shared across all of the other directories. +* test + * This directory contains mocks and other contracts that are used solely for testing contracts within the other directories. + +### 1.0.0 + +Contracts that make up version 1.0.0 of the protocol can be found in `src/1.0.0`. These contracts are considered deprecated and will have limited support going forward. + +## Bug bounty + +A bug bounty is live for 0x protocol 2.0.0. Submissions should be based off of the contracts as of commit [965d6098294beb22292090c461151274ee6f9a26](https://github.com/0xProject/0x-monorepo/tree/965d6098294beb22292090c461151274ee6f9a26/packages/contracts/src/2.0.0). + +### Rewards + +The severity of reported vulnerabilities will be graded according to the [CVSS](https://www.first.org/cvss/) (Common Vulnerability Scoring Standard). The following table will serve as a guideline for reward decisions: + +| Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9) | +| -------------------------- | --------------------- | ----------------------- | -------------------- | +| $10,000 - $100,000 | $2,500 - $10,000 | $1,000 - $2,500 | $0 - $1,000 | + +Please note that any rewards will ultimately be awarded at the discretion of ZeroEx Intl. All rewards will be paid out in ZRX. + +### Areas of interest + +The following are examples of types of vulnerabilities that are of interest: + +* Loss of assets + * A user loses assets in a way that they did not explicitly authorize (e.g an account is able to gain access to an AssetProxy and drain user funds). + * A user authorized a transaction or trade but spends more assets than normally expected (e.g an order is allowed to be over-filled). +* Unintended contract state + * A user is able to update the state of a contract such that it is no longer useable (e.g permanently lock a mutex). + * Any assets get unexpectedly "stuck" in a contract with regular use of the contract's public methods. +* Bypassing time locks + * The `AssetProxyOwner` is allowed to bypass the timelock for transactions where it is not explicitly allowed to do so. + * A user is allowed to bypass the `AssetProxyOwner`. + +### Scope + +The contracts found in the following directories are considered within scope of this bug bounty: + +* `src/2.0.0/protocol` +* `src/2.0.0/utils` +* `src/2.0.0/multisig/MultiSigWalletWithTimeLock` +* `src/2.0.0/extensions/Forwarder` + +Please note that any bugs already reported are considered out of scope (security audits to be released). + +### Disclosures + +Please e-mail all submissions to team@0xProject.com with the subject "BUG BOUNTY". Your submission should include any steps required to reproduce or exploit the vulnerability. Please allow time for the vulnerability to be fixed before discussing any findings publicly. After receiving a submission, we will contact you with expected timelines for a fix to be implemented. ## Contributing -- cgit v1.2.3