DESK / desk-orderbook

DESK / desk-orderbook


HMX Orderbook is a cutting-edge perpetual trading platform offering traders a seamless experience with its Central Limit Order Book (CLOB) model. All trades are initially processed through our off-chain sequencer, ensuring efficiency and speed. Once the off-chain transactions are finalized, the same inputs are transmitted to our smart contracts, where they are verified to ensure all business logic has been accurately executed.

Prize distribution and scoring

  • Total Prize Pool: $30,000

  • Scoring described in the competition scoring page.

  • Findings Severities described in detail on our docs page.

  • Only H/Ms will be considered for this competition

Documentation

The high-level overview of the code base resides in the README of the repository.

Note:

  • Only transactions that affected the accounting aspect of the trading account are sent to smart contracts.
  • Posting and canceling limit orders are not sent to the smart contracts.
  • All transactions submitted to the contract will be through the Entrypoint.sol contract (except Vault.sol contract).
  • To see how the calldata is encoded, please see the example from test/Entrypoint.t.sol.
  • Subaccount is the concatenation of wallet address (20 bytes) + subaccount ID (12 bytes). One wallet can have many subaccounts.

Recorded Walkthough

Scope

  • Repository: hmx-orderbook
  • Files:
    • All contracts within /src/** folder,
    • excluding src/peripherals/Delegation.sol

Build Instructions

  • forge install
  • forge build
  • forge test

Basic POC Test

  • Create a new Solidity contract that inherits the test/OrderbookBase.t.sol file. The base file includes all the setup needed.
  • If there are some configurations required to do the POC, please refer to how each contract interacts with each other when the setUp() function in the test/OrderbookBase.t.sol file is called.

POC Rule

  • For smart contracts: The mandatory POC rule applies and must be included during submission.

Out of scope

  • Previous security reports: None

  • Expected behaviors such as trusted/untrusted roles and/or any accepted risks:

    • Most of the contracts are upgradable. Compromise of deployer keys is out of scope.
    • For all of the authenticated function calls, compromise of key holders is out of scope.
    • Always assume the sequencer correctly posts the transactions and will not act maliciously. For example,
      • feeding the wrong price is out of scope.
      • The sequencer will not suddenly send withdrawal transactions to random users.
    • User authentication to trade on their account is done at the sequencer and is out of scope for smart contracts.
    • Configurations/settings errors are out of scope.
    • The Vault contract can have an insufficient amount of tokens for withdrawal depending on the trading conditions at the moment. This is expected behavior.
    • Settlement token’s decimal is guaranteed to be < 18 digits.
  • Lightchaser Report

Contact Us

For any issues or concerns regarding this competition, please reach out to the Cantina team through Discord.

Summary

Status

Completed

Total reward:

$30,000

Findings submitted:

527

Start date:

6 Jan 2025 8:00pm (local time)

End date:

20 Jan 2025 8:00pm (local time)