DESK / desk-orderbook
HMX Orderbook is a cutting-edge perpetual trading platform offering traders a seamless experience with its Central Limit Order Book (CLOB) model. All trades are initially processed through our off-chain sequencer, ensuring efficiency and speed. Once the off-chain transactions are finalized, the same inputs are transmitted to our smart contracts, where they are verified to ensure all business logic has been accurately executed.
Prize distribution and scoring
-
Total Prize Pool: $30,000
-
Scoring described in the competition scoring page.
-
Findings Severities described in detail on our docs page.
-
Only H/Ms will be considered for this competition
Documentation
The high-level overview of the code base resides in the README of the repository.
Note:
- Only transactions that affected the accounting aspect of the trading account are sent to smart contracts.
- Posting and canceling limit orders are not sent to the smart contracts.
- All transactions submitted to the contract will be through the
Entrypoint.sol
contract (exceptVault.sol
contract). - To see how the calldata is encoded, please see the example from
test/Entrypoint.t.sol
. - Subaccount is the concatenation of wallet address (20 bytes) + subaccount ID (12 bytes). One wallet can have many subaccounts.
Recorded Walkthough
Scope
- Repository: hmx-orderbook
- Files:
- All contracts within
/src/**
folder, - excluding
src/peripherals/Delegation.sol
- All contracts within
Build Instructions
forge install
forge build
forge test
Basic POC Test
- Create a new Solidity contract that inherits the
test/OrderbookBase.t.sol
file. The base file includes all the setup needed. - If there are some configurations required to do the POC, please refer to how each contract interacts with each other when the
setUp()
function in thetest/OrderbookBase.t.sol
file is called.
POC Rule
- For smart contracts: The mandatory POC rule applies and must be included during submission.
Out of scope
-
Previous security reports: None
-
Expected behaviors such as trusted/untrusted roles and/or any accepted risks:
- Most of the contracts are upgradable. Compromise of deployer keys is out of scope.
- For all of the authenticated function calls, compromise of key holders is out of scope.
- Always assume the sequencer correctly posts the transactions and will not act maliciously. For example,
- feeding the wrong price is out of scope.
- The sequencer will not suddenly send withdrawal transactions to random users.
- User authentication to trade on their account is done at the sequencer and is out of scope for smart contracts.
- Configurations/settings errors are out of scope.
- The Vault contract can have an insufficient amount of tokens for withdrawal depending on the trading conditions at the moment. This is expected behavior.
- Settlement token’s decimal is guaranteed to be < 18 digits.
Contact Us
For any issues or concerns regarding this competition, please reach out to the Cantina team through Discord.
Summary
Status
CompletedTotal reward:
$30,000
Findings submitted:
527
Start date:
6 Jan 2025 8:00pm (local time)
End date:
20 Jan 2025 8:00pm (local time)