From f9c2d2535236ac53e65847141c6f831ab32d6b1f Mon Sep 17 00:00:00 2001 From: Chris Kalani Date: Wed, 28 Aug 2019 16:08:52 -0700 Subject: [PATCH 1/3] Cleaned up CLI tag and added link to tools on API page --- packages/website/mdx/api-explorer/index.mdx | 4 +++- packages/website/ts/utils/algolia_meta.json | 8 ++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/packages/website/mdx/api-explorer/index.mdx b/packages/website/mdx/api-explorer/index.mdx index 069738aa7e..6d3204a520 100644 --- a/packages/website/mdx/api-explorer/index.mdx +++ b/packages/website/mdx/api-explorer/index.mdx @@ -1,3 +1,5 @@ -# Coming soon +# Coming Soon The on-chain API explorer will allow developers to explore the many smart contract methods at their disposal for interacting with 0x protocol. It will provide an explanation of every method, along with code snippets for how to call the methods using our contract wrapper libraries. This section of the docs is still a WIP but we hope to get it in the hands of developers soon. + +Please check out the [Tools section](/docs/tools) for reference documentation. diff --git a/packages/website/ts/utils/algolia_meta.json b/packages/website/ts/utils/algolia_meta.json index 1bf10f458b..95b2eb22bb 100644 --- a/packages/website/ts/utils/algolia_meta.json +++ b/packages/website/ts/utils/algolia_meta.json @@ -482,7 +482,7 @@ "isCommunity": false, "isFeatured": false, "tags": ["Protocol Developer", "Relayer"], - "type": "Command-line tool", + "type": "CLI", "path": "tools/@0x/migrations/v4.3.0/reference.mdx", "versions": ["v4.3.0"] }, @@ -493,7 +493,7 @@ "isCommunity": false, "isFeatured": true, "tags": ["Relayer"], - "type": "Command-line tool", + "type": "CLI", "externalUrl": "https://github.com/0xProject/0x-launch-kit" }, "massive": { @@ -503,7 +503,7 @@ "isCommunity": true, "isFeatured": false, "tags": ["Relayer", "Trader"], - "type": "Command-line tool", + "type": "CLI", "externalUrl": "https://github.com/NoteGio/massive" }, "coordinator-server": { @@ -517,4 +517,4 @@ "externalUrl": "https://github.com/0xProject/0x-coordinator-server" } } -} \ No newline at end of file +} From a01eafa4e76a1d13acee886404b95e1828c6330a Mon Sep 17 00:00:00 2001 From: Chris Kalani Date: Wed, 28 Aug 2019 16:11:50 -0700 Subject: [PATCH 2/3] Cleaned up some Guide titles --- packages/website/ts/utils/algolia_meta.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/website/ts/utils/algolia_meta.json b/packages/website/ts/utils/algolia_meta.json index 95b2eb22bb..906fe240fd 100644 --- a/packages/website/ts/utils/algolia_meta.json +++ b/packages/website/ts/utils/algolia_meta.json @@ -55,7 +55,7 @@ "path": "guides/contract-fillable-liquidity.mdx" }, "0x-cheat-sheet": { - "title": "0x cheat sheet", + "title": "0x Cheat Sheet", "description": "All the information you look up often when building on 0x (e.g., deployed contract addresses)", "tags": ["Relayer", "Trader", "Protocol Developer"], "topics": ["Relayer", "Trader", "Protocol Developer"], @@ -71,7 +71,7 @@ "path": "guides/ganache-setup.mdx" }, "integrate-instant": { - "title": "Get started with 0x Instant", + "title": "Get Started with 0x Instant", "subtitle": "A free and flexible way to offer simple crypto purchasing in any app or website", "description": "Learn how to embed 0x Instant into your website or mobile app, allowing your users to seemlessly buy any digital asset with Ether", "tags": ["Instant"], @@ -149,7 +149,7 @@ "path": "guides/market-making-on-0x.mdx" }, "0x-extensions-explained": { - "title": "0x Extensions explained", + "title": "0x Extensions Explained", "description": "Learn about how you can extend 0x protocol with your own custom extensions adding white-listing, dutch auction mechanics and much more to 0x.", "tags": ["Relayer", "Trader", "Extensions"], "topics": ["Relayer", "Trader", "Extensions"], From 220856d084a4ba251806445f246b1ce1fd0f227b Mon Sep 17 00:00:00 2001 From: Chris Kalani Date: Wed, 28 Aug 2019 16:23:35 -0700 Subject: [PATCH 3/3] Added bug bounty program guide --- .../website/mdx/guides/bug-bounty-program.mdx | 67 +++++++++++++++++++ packages/website/ts/utils/algolia_meta.json | 12 +++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 packages/website/mdx/guides/bug-bounty-program.mdx diff --git a/packages/website/mdx/guides/bug-bounty-program.mdx b/packages/website/mdx/guides/bug-bounty-program.mdx new file mode 100644 index 0000000000..61a77ebd27 --- /dev/null +++ b/packages/website/mdx/guides/bug-bounty-program.mdx @@ -0,0 +1,67 @@ +# Rewards + +The severity of reported vulnerabilities will be graded according to the [CVSS](https://www.first.org/cvss/) (Common Vulnerability Scoring Standard). The following table will serve as a guideline for reward decisions: + +| Critical (CVSS 9.0 - 10.0) | High (CVSS 7.0 - 8.9) | Medium (CVSS 4.0 - 6.9) | Low (CVSS 0.0 - 3.9) | +| -------------------------- | --------------------- | ----------------------- | -------------------- | +| $10,000 - $100,000 | $2,500 - $10,000 | $1,000 - $2,500 | $0 - $1,000 | + +Please note that any rewards will ultimately be awarded at the discretion of ZeroEx Intl. All rewards will be paid out in ZRX. + +### Areas of interest + +The following are examples of types of vulnerabilities that are of interest: + +- Loss of assets + - A user loses assets in a way that they did not explicitly authorize (e.g an account is able to gain access to an `AssetProxy` and drain user funds). + - A user authorized a transaction or trade but spends more assets than normally expected (e.g an order is allowed to be over-filled). +- Unintended contract state + - A user is able to update the state of a contract such that it is no longer useable (e.g permanently lock a mutex). + - Any assets get unexpectedly "stuck" in a contract with regular use of the contract's public methods. +- Bypassing time locks + - The `AssetProxyOwner` is allowed to bypass the timelock for transactions where it is not explicitly allowed to do so. + - A user is allowed to bypass the `AssetProxyOwner`. + +# Scope + +The following contracts are in scope of the bug bounty. Please note that any bugs already reported are considered out of scope. + +## 2.1 + +2.1 submissions should be based off of the contracts as of commit [ff70c5ecfe28eff14e1a372c5e493b8f5363e1d0](https://github.com/0xProject/0x-monorepo/tree/ff70c5ecfe28eff14e1a372c5e493b8f5363e1d0/packages/contracts/src/2.0.0). +The contracts found in the following directories are considered within scope of this bug bounty: + +- `src/2.0.0/protocol` +- `src/2.0.0/utils` +- `src/2.0.0/multisig/MultiSigWalletWithTimeLock` + +Security audits of these contracts can be found [here](https://docs.google.com/document/d/1jYv6V21MfCSwCS5fxD6ZyaLWGzkpRSUO0lZpST94XsA/edit) and [here](https://github.com/ConsenSys/0x_audit_report_2018-07-23). + +## MultiAssetProxy + +`MultiAssetProxy` submissions should be based off of the contracts as of commit [c4d9ef9f83508154fe9db35796b6b86aeb0f2240](https://github.com/0xProject/0x-monorepo/tree/c4d9ef9f83508154fe9db35796b6b86aeb0f2240/contracts/asset-proxy). +The only contract within the scope of this bug bounty is: + +- `contracts/src/MultiAssetProxy.sol` + +The security audit for this contract can be found [here](https://github.com/ConsenSys/0x-audit-report-2018-12). + +## ERC1155Proxy + +`ERC1155Proxy` submissions should be based off of the contracts as of commit [77484dc69eea1f4f1a8397590199f3f2489751d2](https://github.com/0xProject/0x-monorepo/tree/77484dc69eea1f4f1a8397590199f3f2489751d2/contracts/asset-proxy). +The only contract within the scope of this bug bounty is: + +- `contracts/src/ERC1155Proxy.sol` + +The security audit for this contract can be found [here](https://github.com/ConsenSys/0x-audit-report-2019-05). + +## StaticCallProxy + +`StaticCallProxy` submissions should be based off of the contracts as of commit [54f4727adc6da95f312e3721f44857110555d24c](https://github.com/0xProject/0x-monorepo/tree/54f4727adc6da95f312e3721f44857110555d24c/contracts/asset-proxy). +The only contract within the scope of this bug bounty is: + +- `contracts/src/StaticCallProxy.sol` + +# Disclosures + +Please e-mail all submissions to security@0x.org with the subject "BUG BOUNTY". Your submission should include any steps required to reproduce or exploit the vulnerability. Please allow time for the vulnerability to be fixed before discussing any findings publicly. After receiving a submission, we will contact you with expected timelines for a fix to be implemented. diff --git a/packages/website/ts/utils/algolia_meta.json b/packages/website/ts/utils/algolia_meta.json index 906fe240fd..b1a5c6fd21 100644 --- a/packages/website/ts/utils/algolia_meta.json +++ b/packages/website/ts/utils/algolia_meta.json @@ -156,7 +156,17 @@ "difficulty": "Advanced", "path": "guides/0x-extensions-explained.mdx" } - }, + }, + "bug-bounty-program": { + "title": "Bug Bounty Program", + "subtitle": "An ongoing bug bounty for the 0x protocol smart contracts.", + "description": "An ongoing bug bounty for the 0x protocol smart contracts.", + "tags": ["Protocol Developer"], + "topics": ["Protocol Developer"], + "difficulty": "Advanced", + "path": "guides/bug-bounty-program.mdx" + } + }, "tools": { "asset-swapper": { "title": "0x Asset Swapper",