STON.fi is a decentralized automated market maker (AMM) built on the TON blockchain providing virtually zero fees, low slippage, an extremely easy interface, and direct integration with TON wallets.
In Scope
| Target | Type | Severity | Reward |
|---|---|---|---|
https://github.com/ston-fi/dex-core-v2/blob/main/contracts/lp_account.fcLP Account |
Smart Contract | Critical | Bounty |
https://github.com/ston-fi/dex-core-v2/blob/main/contracts/lp_wallet.fcLP Wallet |
Smart Contract | Critical | Bounty |
https://github.com/ston-fi/dex-core-v2/blob/main/contracts/pool.fcPool |
Smart Contract | Critical | Bounty |
https://github.com/ston-fi/dex-core-v2/blob/main/contracts/router.fcRouter |
Smart Contract | Critical | Bounty |
https://github.com/ston-fi/dex-core-v2/blob/main/contracts/vault.fcVault |
Smart Contract | Critical | Bounty |
IN SCOPE VULNERABILITIES (Smart Contracts)
Currently the scope of program only includes contracts v2.2.0, the same ones that are used by DEX in the mainnet. The scope might be extended with other versions in the future.
Only the following impacts are accepted within this Bug Bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Critical
- Direct theft of any user funds
- Permanent freezing of funds
- Protocol insolvency
High
- Theft of unclaimed yield
- Freeze ability of other users to trade
- Temporary freezing of funds
Medium
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
OUT OF SCOPE VULNERABILITIES (Smart Contracts)
The following issues are excluded from the rewards for this Bug Bounty program:
- Lack of liquidity
- Best practice critiques
- Centralization risks
- Issues with information about user balances
- Cases with disguising one asset with another asset
- Any kind of optimization/logic improvements/coding style improvements
- Issues related to lp jetton wallets
- Issues related to contract deletion caused by inability to pay rent
- Issues related to gas optimisation
- Issues related to loss of funds caused by price slippage: frontrunning, backrunning, sandwich attacks, etc.
The following activities are prohibited by this Bug Bounty program:
- Any testing with mainnet.
- Any testing with pricing oracles or third party Smart Contracts.
- Attempting phishing or other social engineering attacks against our employees and/or customers.
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks).
- Automated testing of services that generates significant amounts of traffic.
- Any denial of service attacks.
- All testing should be done on testnet. We specifically deployed smart contracts on the testnet.
Router address - kQAFpeGFJQA9KqiCxXZ8J4l__vSYAxFSirSOvPHn6SSX4ztn. Also you can see on tonscan.
And please see dex-core repo.
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs.
We appreciate and thank everyone who submits valid reports that help us improve our security. However, only those reports meeting the following eligibility requirements may qualify for a monetary reward:
- You must be the first reporter of the vulnerability.
- The vulnerability reported must qualify under our listed criteria.
- Vulnerabilities must be reported within 24 hours of discovery, exclusively through hackenproof.com.
- Your report must include a clear textual description of the vulnerability, concise and detailed steps to reproduce the issue, and must include a proof-of-concept (PoC) with code demonstrating the vulnerability clearly.
- Attachments such as screenshots should be included as necessary alongside your PoC code.
- You must not be a current or former employee or contractor of our company.
- Reports must be submitted using ONLY the email address registered to your HackenProof account (violations will result in disqualification).
Providing a detailed, precise, and reproducible PoC is mandatory for report eligibility.