Chronicle Labs / Chronicle Labs Bounty
Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.
Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.
Smart Contracts in Scope
Scribe
chronicleprotocol/scribe/tree/v2
In scope:
- everything in
src/ - special focus for us:
- Unauthorized auth access
- Unauthorized addition or removal of validator/feed
- Being able to report a malicious price update
- Constructing a non-challengeable, invalid opPoke
- No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $50,000.00 | $30,000.00 |
| Likelihood:medium | $30,000.00 | $10,000.00 |
Out of Scope (all repositories)
Known Issues
Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.
- Find previous security reviews here
- Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.
Summary
Status
LiveTotal reward:
$50,000 USDC
Start date:
1 May 2024 6:16pm (local time)