SocketSurge Wave 1 Details

General Rules

  • Participants must register and join our Github gated WarRoom and earn a SurgePass before submitting bugs for SurgePoints.
  • We will also be airdropping a SurgePass NFT to people in the blockchain security community with obvious security bonafides
  • The SurgePoints awarded per item will be as follows
    • Report a low severity vulnerability - 150 pts
    • Report medium vulnerability - 600 pts
    • Report high vulnerability - 2500 points
    • Exploit a LootBox - 3000 points
  • Credit will be given only to the first address to report a given bug. We will use an onchain submission mechanism to establish ordering.
  • The SocketSentinels roles ranking conferred at the end of Surge wave 1 will be a function of the SurgePoints you earned, with the breakdown as follows:
    • Paladin - top 5% of SurgePoints
    • Defender - top 25% of SurgePoints
    • Sentry - at least 600 SurgePoints
  • We will host and update a Leaderboard throughout the Surge with the top scorers, to go live on May 1
  • SocketSurge Wave 1 will run from 13:30 UTC on Monday, May 1st until 23:59 UTC on Wednesday May 31st, subject to change in the event of a protocol upgrade needed (we’ll communicate any changes publicly). All submissions for SurgePoints need to take place during that time.
  • After Wave 1 is complete, we will open up the claim site for qualifying participants to mint their SocketSentinels avatar NFT and join the token-gated Discord channels.

Easter Egg Submission & minting SurgePass

On Monday, the Easter Egg contract will go live on Optimism (address will be updated here and announced in the WarRoom Discord on Monday). You will be able to use the claimFunction when the internal state of the protocol and our deployed smart contracts reaches a valid “Easter Egg” state. If valid, we will automatically mint you your SurgePass NFT in that same transaction.

Submitting a bug and claiming credit for breaking a Lootbox

On Monday, the ability to report a bug on-chain will go also live (address will be updated here on Monday) for all SurgePass NFT holders, allowing you to submit evidence of your bug by transacting with our submitBugFor contract with your submitter address, a string for the IPFS link and a string for the Github link as outlined in our bug submission formatting requirements below. We use the onchain system to establish ordering of who submitted any particular bug first.

Lootboxes are implemented as a vault of some amount of USDC on one chain and a SocketDL “Plug” smart contract on other chains which have access to “0” of the USDC in the vault. Compromising the SocketDL protocol would allow you to mutate this message, granting yourself the right to withdraw arbitrary USDC, thereby breaking the Lootbox. Any USDC you are able to “Loot” in this way is yours for the keeping, and to report your achievement for purposes of SurgePoints, you will submit it just like any other bug. For Lootboxes exploited, you submit it just like a bug, but do not need to include the IPFS and Github links.

{Insert sample bug submission data here?}

We will then manually review these submissions and notify you privately via email and in the Socket WarRoom Discord if you have been awarded points for your submission.

Bug severity guidelines that we will use internally to award points (not exhaustive)

  • High
    • Message getting corrupted during transit
    • Packet getting corrupted during transit
    • Decapacitor unable to validate message
    • Double-Spending or Double Execution of same message
    • Unauthorised Access
    • Unintended permanent freezing of the contracts
    • Cryptographic flaws
    • Contracts spoofing each other
  • Medium
    • Smart contract unable to operate
    • Damage to users/protocol due to griefing
    • Unbounded gas consumption
  • Low
    • Underpricing message fees relative to execution fees
    • Contract fails to deliver what was promised, but no one's security is affected
    • Requires stars to align for this vulnerability to be exploited
    • Doesn’t lead to any gain for any party

Disputing our bug review

  • If you feel that you have submitted a valid bug that we have not recognized, or you do not agree with the severity level we assigned to the bug, you have the opportunity to put up a $1000 refundable deposit and we will have our panel of 3 independent arbiters review the decision. If we amend the decision, you get your deposit back.