Tracer

The Tracer protocol is a DAO governed network of open-source financial smart contracts that enables people to manage financial risk. The protocol itself is a low cost vehicle that can be used to unlock new digital and real-world markets.

For more information about Tracer, please visit https://tracer.finance/.
This bug bounty program is focused on their smart contracts and is focused on preventing:

• Loss of user funds
• Deadlocking of system (minting and burning gets blocked)
• Contract fails to deliver promised returns, but doesn't lose value

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Critical and High smart contract bug reports must come with a PoC in order to be considered for a reward.

Critical smart contract vulnerabilities are paid at 10% of economic damage, primarily based on funds at risk. The team may, at its discretion, take into consideration other aspects such as PR and branding effects. However, there is a minimum reward of USD 100 000.

Bug reports involving vulnerabilities highlighted in this audit are not eligible for a reward as they are a known issue.

Bug reports involving vulnerabilities highlighted in https://code423n4.com/reports/2021-10-tracer/ are not eligible for a reward as they are known issues and are out of scope.

Payouts are handled by the Tracer team directly and are denominated in USD. However, payouts are done in a mix of TCR and stablecoins, at the discretion of the Tracer team.

All smart contracts of Tracer can be found at https://github.com/mycelium-ethereum/perpetual-pools-contracts. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

For additional reference, the following smart contracts can be found at the following contract addresses:

3-ETH/USD PoolCommitter - https://arbiscan.io/address/0x72c4e7Aa6c743DA4e690Fa7FA66904BC3f2C9C04

3-ETH/USD Short pool token - https://arbiscan.io/address/0x7d7E4f49a29dDA8b1eCDcf8a8bc85EdcB234E997

3-ETH/USD Long pool token - https://arbiscan.io/address/0xaA846004Dc01b532B63FEaa0b7A0cB0990f19ED9

3-ETH/USD Deploy PoolKeeper - https://arbiscan.io/address/0x759E817F0C40B11C775d1071d466B5ff5c6ce28e

3-ETH/USD Deployed LeveragedPool - https://arbiscan.io/address/0x54114e9e1eEf979070091186D7102805819e916B

1-ETH/USD PoolCommitter - https://arbiscan.io/address/0x047Cd47925C2390ce26dDeB302b8b165d246d450

1-ETH/USD Short pool token - https://arbiscan.io/address/0xf581571DBcCeD3A59AaaCbf90448E7B3E1704dcD

1-ETH/USD Long pool token - https://arbiscan.io/address/0x38c0a5443c7427e65A9Bf15AE746a28BB9a052cc

1-ETH/USD Deploy PoolKeeper - https://arbiscan.io/address/0x759E817F0C40B11C775d1071d466B5ff5c6ce28e

1-ETH/USD Deployed LeveragedPool - https://arbiscan.io/address/0x3A52aD74006D927e3471746D4EAC73c9366974Ee

3-BTC/USD PoolCommitter - https://arbiscan.io/address/0xFDE5D7B7596AF6aC5df7C56d76E14518A9F578dF

3-BTC/USD Short pool token - https://arbiscan.io/address/0x85700dC0bfD128DD0e7B9eD38496A60baC698fc8

3-BTC/USD Long pool token - https://arbiscan.io/address/0x05A131B3Cd23Be0b4F7B274B3d237E73650e543d

3-BTC/USD Deploy PoolKeeper - https://arbiscan.io/address/0x759E817F0C40B11C775d1071d466B5ff5c6ce28e

3-BTC/USD Deployed LeveragedPool - https://arbiscan.io/address/0x70988060e1FD9bbD795CA097A09eA1539896Ff5D

1-BTC/USD Long pool token - https://arbiscan.io/address/0x539Bf88D729B65F8eC25896cFc7a5f44bbf1816b

1-BTC/USD Long pool token - https://arbiscan.io/address/0x052814194f459aF30EdB6a506eABFc85a4D99501

1-BTC/USD Long pool token - https://arbiscan.io/address/0x1616bF7bbd60E57f961E83A602B6b9Abb6E6CAFc

1-BTC/USD Deploy PoolKeeper - https://arbiscan.io/address/0x759E817F0C40B11C775d1071d466B5ff5c6ce28e

1-BTC/USD Deployed LeveragedPool - https://arbiscan.io/address/0x146808f54DB24Be2902CA9f595AD8f27f56B2E76

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contracts

• Loss of user funds
• Deadlocking of system (minting and burning gets blocked)
• Contract fails to deliver promised returns, but doesn't lose value

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

• Re-entrancy
• Logic errors
  • including user authentication errors
• Solidity/EVM details not considered
  • including integer over-/under-flow
  • including rounding errors
  • including unhandled exceptions
• Trusting trust/dependency vulnerabilities
  • including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
  • including flash loan attacks
• Congestion and scalability
  • including running out of gas
  • including block stuffing
  • including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces
• Contract DOS attacks on the minting and burning system

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty