Boba Network

Launched: 19 Apr 2024 Status: Active KYC Required: Yes

GENERAL INFORMATION

Boba Network is a blockchain Layer-2 scaling solution and Hybrid Compute platform offering lightning fast transactions and fees up to 100x less than Layer-1.

For more information about Boba Network, please visit https://boba.network/

Assets type:

• Smart Contracts
• Websites and Applications

Chains:

• ETH
• BSC
• Other

Programming language:

• Solidity
• Go

Product types:

• Technology and Infrastructure
• Scaling solutions

Project categories:

• L2

ABOUT BOBA NETWORK

Boba Network's Hybrid Compute technology brings the power of Web2 on-chain for the first time, allowing smart contracts to call any external Web2 API to execute complex algorithms such as machine learning classifiers, pull in real-world or enterprise data in a single atomic transaction, or sync with the latest state of a gaming engine. Leveraging off-chain compute and real-world data, developers and creators can offer an enriched experience unlike anything else on the market today.

Boba Network is delivering a faster, cheaper, and smarter experience for blockchain's next billion users.

FOR TESTING

For testing any exploits involving cross-domain transactions, it is recommended to work with Boba's local devnet stack (for Boba-Eth) or Boba's dockerized services and modifying integration tests (for Boba-BNB)

Note: Boba-Eth has been migrated to anchorage (v3) and differs in design and architecture from Boba-BNB (v2). Find more about anchorage specs here: https://github.com/bobanetwork/boba?tab=readme-ov-file#specification

PROGRAM'S RULES

• Respect the scope of the program
• Don't discuss or disclose vulnerability information without prior written consent
• When reporting a bug, please make sure to select the relevant proxy smart contract as the target
• If an impact can be caused to any other asset managed by Boba Network that isn't on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical and High impacts.

PROHIBITED ACTIVITIES

The following activities are prohibited by this bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty

ELIGIBILITY CRITERIA

• Current employees, vendors (auditors), partners and contractors are not eligible to participate in the bug bounty program

PAYOUTS

Smart Contracts & Websites and Applications

Critical: $10,000 - $100,000

• Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
• Permanent freezing of funds
• Permanent freezing of NFTs originally developed by Boba Network
• Unauthorized minting of NFTs originally developed by Boba Network
• Unintended alteration of what the NFT represents (e.g. token URI, payload, artistic content) for NFTs originally developed by Boba Network
• Protocol insolvency

High: up to $8,000

• Theft of unclaimed yield
• Theft of unclaimed royalties
• Permanent freezing of unclaimed yield
• Permanent freezing of unclaimed royalties
• Temporary freezing of funds for any amount of time
• Temporary freezing of NFTs originally developed by Boba Network for any amount of time

Medium: up to $3,000

• Smart contract unable to operate due to lack of token funds
• Protocol failure caused by Block stuffing
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption

Low: up to $1,000

• Smart contract fails to deliver promised returns but doesn't lose value

Informational: Not eligible

Rewards and Recognition

Blockchain/DLT

For critical Blockchain/DLT bugs, the reward amount is 10% of the funds directly affected, capped at the maximum critical reward of USD 100,000. However, a minimum reward of USD 10,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.

Smart Contracts

For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. However, a minimum reward of USD 10,000 is to be rewarded in order to incentivize security researchers against withholding on a bug report.

Other guidelines

• Payouts are handled by the team directly and are denominated in USD. However, payouts are done in USDC at the discretion of the team
• The bug bounty program reserves the right to adjust award amounts based on the quality and accuracy of submissions within the specified range

SUBMISSION GUIDELINES

• Reports should be submitted through the Remedy platform
• All severity bug reports should include a runnable Proof of Concept (PoC) in order to prove impact

ASSETS IN SCOPE

1. Proxy__OVM_L1StandardBridge: https://etherscan.io/address/0xdc1664458d2f0B6090bEa60A8793A4E66c2F1c00

2. Proxy__LightBridge: https://etherscan.io/address/0x2dE73Bd1660Fbf4D521a52Ec2a91CCc106113801

3. Proxy__LightBridge: https://bobascan.com/address/0x0dfFd3Efe9c3237Ad7bf94252296272c96237FF5

4. Proxy__L1StandardBridge: https://bscscan.com/address/0x1E0f7f4b2656b14C161f1caDF3076C02908F9ACC

5. Proxy__LightBridge: https://bobascan.com/address/0x670b130112C6f03E17192e63c67866e67D77c3ee

All smart contracts of Boba Network can be found at:

• https://github.com/bobanetwork/boba

Note: Only the proxy contracts listed in the Assets in Scope table are considered as in-scope of the bug bounty program. Though only the proxy contracts are listed as in-scope, current implementation and any further updates to the implementation contracts are considered in scope.

OUT OF SCOPE

• Contracts are upgradable
• The fact that fraud proofs are not yet running
• A bug in Lib_MerkleTrie.sol which will prevent withdrawals from succeeding in some cases. There is a workaround for this, by modifying the proof to add an extra element
• A bug in Lib_ResolvedDelegateProxy.sol which could result in a storage slot key collision overwriting the address of the implementation. This bug is dependent on the layout of the implementation contract, and Boba is not affected
• The user cannot commit to a L1 gas price, the OVM_GasPriceOracle is owned by a key controlled by Boba and is responsible for setting the L1 gas price
• There appears to be an obvious bug which would allow an attacker to withdraw a fake ERC20 token from L2 in exchange for a real ERC20 (such as WBTC) token on L1. There is no check in the L2StandardBridge, however the withdrawal is prevented from finalizing by a check in the L1StandardBridge. Naturally if you do find a way to circumvent Boba Network's protections, then you would be rewarded
• All vulnerabilities mentioned in https://github.com/bobanetwork/boba_legacy/tree/develop/boba_audits

EXCLUDED VULNERABILITIES

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
• Feature requests
• Impacts on test files and configuration files unless stated otherwise in the bug bounty program
• Incorrect data supplied by third party oracles
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Centralization risks