Sign in
profile image

Chronicle Labs - Chronicle Labs Bounty

What is Chronicle Labs

Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.

Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.

chroniclelabs.org

Smart Contracts in Scope

Scribe

chronicleprotocol/scribe/tree/v2

In scope:

  • everything in src/
  • special focus for us:
    • Unauthorized auth access
    • Unauthorized addition or removal of validator/feed
    • Being able to report a malicious price update
    • Constructing a non-challengeable, invalid opPoke
    • No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$50,000.00$30,000.00
Likelihood:medium$30,000.00$10,000.00

Out of Scope (all repositories)

Known Issues

Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.

  • Find previous security reviews here
  • Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.

Summary

Status

Live

Total reward:

$50,000 USDC

Start date:

1 May 2024 6:16pm (local time)

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.

Services

CompetitionsReviewsBountiesGuilds

© 2024 Cantina. All rights reserved.