Skip to main content

Bug Bounty Program Summary – November 2024

Our Bug Bounty Program for the staking contract was successfully completed. The program has aimed to promote transparency in what we build and to identify any security vulnerabilities. The end of the program resulted with minimal, non-significant findings. Here is a recap of the program and its outcomes:

Duration: The program engaged ethical hackers and Web3 developers globally (via Discord, social media platforms, etc.) over a set period of two weeks to evaluate the logic of our smart contract – in search of vulnerabilities or contract enhancements.

Scope: All participants are invited to investigate vulnerabilities, focusing on critical areas such as reentrancy attacks, registration of staking pools, deposit logic to staking pools, and more.

Outcome:

  1. Critical, High, and Medium Severity Bugs: No vulnerabilities of critical, high, or medium severity were found, confirming the robustness of our contract implementation.
  2. Low Severity Bugs: One minor low severity issue was identified, along with two improvement observations. While they posed no significant threat, we addressed them promptly.

Below is a summary of the results and actions taken:

Category Description Findings
Critical bugs Bugs that could result in a significant loss of funds or complete loss of control over the contract (e.g., reentrancy exploits). None
High Severity Bugs High-impact bugs that are still dangerous but may require more effort to exploit. None
Medium Severity Bugs Vulnerabilities that present risks but are more challenging to exploit. None
Low Severity Bugs Minor issues that pose minimal risk but could lead to inefficiencies or unnecessary gas costs.

One minor low-severity issue was identified.

Minor low-severity issue: Users may be unable to withdraw their funds if the gas cost exceeds the block limit, leading to failed transactions. While this poses no significant threat, it has been promptly addressed.

Action taken: The issue is prevented by setting a maximum number of deposit slots per wallet for each staking pool. For example, deposits to the Gem1 pool are limited to 25 slots per wallet address, ensuring that withdrawal transactions remain within gas limits.

Minor Observation 1: An observation was made to allow wallet addresses to deposit multiple times into the same pool within a single transaction, provided they stay within the slot limit.

Action Taken: A function to facilitate multiple deposits in a single transaction has been implemented, improving user experience and efficiency.

Minor Observation 2: It was suggested that the range of discounts when registering a pool should be dynamic rather than fixed.

Action Taken: Variables have been created along with a setter function to update the discount ranges as needed, allowing for greater flexibility in pool configurations.

Reward: Participants were awarded for their valuable contributions, reflecting our commitment to recognizing efforts that enhance our platform’s security. The reward was sent to the participant’s address, and the transaction details can be viewed here.

Impact: Although no major vulnerabilities were discovered, the program helped us to:

  • Validate the effectiveness of our current implementation and security measures.
  • Identify minor areas for improvement, further enhancing the contract implementation.
  • Reinforce trust and transparency with our community.

Actions Completed:

  • The identified issues have been fixed, tested, and deployed.
  • Updated Contract: The latest contract version is deployed on the Amoy Testnet and can be viewed here:

https://www.oklink.com/amoy/address/0xc0028bEc0A994d5D4e854b7003560063E35860fE

Commit Details: Specifics of the updates are documented in the following GitHub commit:

https://github.com/IpmbOfficial/IPMB-staking-contracts/commit/ce0a9bd1dc89c0e8142c18a4bbffff23d555ede5#diff-ae7499929ae40f27be5a6fb5eaaca3223ace66be06768926f530b39d012fd565R96 

Tests: All test cases can be found here:

https://github.com/IpmbOfficial/IPMB-staking-contracts/tree/main/contracts/test 

GitHub Repository: The complete source is available in our repository:

https://github.com/IpmbOfficial/IPMB-staking-contracts

Follow-up and Future Steps:

  • Stay tuned for the upcoming bug bounty on our custom ERC721 contract for GEM NFTs.

This initiative underscores our dedication to security and our gratitude to the ethical hacker community and the Web3 developer community for their vital role in building a secure digital environment. Thank you to all who participated and contributed!

About IPMB

The IPMB Ecosystem offers direct access to physical gold, allowing exposure to the stability of gold and the speed and security of the blockchain through a dual-token model.

Through this innovation, IPMB is striving to change the gold industry forever.

The IPMB mission is to provide the world access to unlimited economic freedom and opportunity, giving choice and control to accelerate a global transition to a low-cost, unified and transparent global currency.