Clipper

Clipper is a decentralized exchange (DEX) designed to have the lowest per-transaction costs for small-to-medium-sized trades. It is intended to be the best place for self-made traders to buy and sell the most popular cryptoassets. Here’s a quick overview of Clipper and its core design principles.

Further resources regarding the Clipper can be found on its website.

The bug bounty program is focused around its smart contracts, is mostly concerned with the loss of user funds, and has a bonus period until 23:59:59 UTC on July 6th. The bug bounty program will begin accepting submissions starting on the launch date, June 22nd.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

During the bonus period, the reward for Critical vulnerabilities discovered is increased to USD 100,000.

Reports containing the following issues or vulnerabilities are not eligible for a reward at any severity level:

• Any issues that rely on running out of gas because of the variable-sized data structure for holding token information
• Any issues that rely on custom or non-typical token implementations (here, "typical" means "included in the current implementations of wBTC, USDC, USDT, and DAI").
• Any issues around following the 0x PLP API interface. Specifically, any issues around the potential loss of funds if procedures for swap and deposit are not followed (must transfer assets and then call the appropriate function atomically within the same transaction).
• Existing vested deposits may be locked again if they are not first unlocked before making a new deposit
• Issues related to the validation of function inputs if those functions are restricted to administrators only or if incorrect function inputs only affect the assets of the sender.
• Anything related to the miscomputation of the square root of 2
• Any issues with Chainlink oracles (manipulation, staleness)
• Any issues that involve contract ownership not being set correctly
• Any issues that involve an unrealistically large asset pool (more than twenty assets, more than $250M in assets at current prices).
• Any issues that involve changes of price, including front-running, within the bounds specified by the minimum buy amount in the 0x PLP API.

Payouts are handled by the Clipper team directly and are denominated in USD. However, rewards are paid out in USDC.

The smart contracts under the Mock folder are not considered as in-scope in this bug bounty program.

We are especially interested in receiving and rewarding vulnerabilities of the following types:

• Re-entrancy
• Logic errors
  • including user authentication errors
• Solidity/EVM details not considered
  • including unhandled exceptions
• Trusting trust/dependency vulnerabilities
  • including composability vulnerabilities
• Economic/financial attacks
  • including flash loan attacks
• Congestion and scalability
  • including running out of gas
  • including block stuffing
• Susceptibility to block timestamp manipulation (beyond one hour - manipulations around 15 second block timing are not in scope)
• Missing access controls / unprotected internal or debugging interfaces

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses or accounts (deployer, ownership, governance)
• Incorrect or manipulated data provided by or to third-party oracles
  • Flash loan attacks that do not rely on oracle manipulation are IN SCOPE.
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

The following activities are prohibited by bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty