Chronicle Labs Bounty
Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.
Scribe's technical documentation at docs/
provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.
Smart Contracts in Scope
Scribe
chronicleprotocol/scribe/tree/v2
In scope:
- everything in
src/
- special focus for us:
- Unauthorized auth access
- Unauthorized addition or removal of validator/feed
- Being able to report a malicious price update
- Constructing a non-challengeable, invalid opPoke
- No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments
Severity Definitions
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
**Likelihood:high** | Critical | High | Medium |
**Likelihood:medium** | High | Medium | - |
**Likelihood:low** | Medium | - | - |
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $400,000.00 | $30,000.00 |
Likelihood:medium | $30,000.00 | $10,000.00 |
Out of Scope (all repositories)
Known Issues
Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.
- Find previous security reviews here
- Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.
Total reward
$400,000
Findings submitted
21
Start date
1 May 2024
Please sign in as a researcher to join the bounty.
Log in