Perpetual Protocol Bounty Program Review

Perpetual Protocol Team
4 min readNov 10, 2023

--

6 months ago the Perpetual DAO launched a security entity to ensure funding for the ongoing work being done by the team, external auditors and independent security researchers (whitehats).

Bounty Recap

We’ve collected a summary of the Perp v2 bounty program payouts to date. 6 whitehats found 11 issues. Big and small, they are a diverse bunch.

We want to give a special thanks to our incredible community members who are always on the lookout for issues and bugs, and report them asap — we are all safer together! We also give a huge thanks to the security research & whitehat community for finding and reporting bugs, as well as working with us while we improve our bug bounty process. Last but not least, the ImmuneFi team deserves a big shout out for their help with every bounty report and for helping us learn to work better with whitehats.

Front-line Defenses

Post-deployment bounties are part of a triad of security measures essential to any Defi protocol, the other two being internal code reviews and external audits. The Perpetual Protocol team puts a lot of effort into finding bugs and vulnerabilities before code goes into production, and has a dedicated team member focusing on security. DEX production code and code point updates are also reviewed by external auditors on a regular basis, with close communication between the team and auditors throughout the process.

Bug Bounty Summaries

Without further ado, on to the bounties!

1. Bad Debt Attack

Source: ImmuneFi
Whitehat: banditx0x
Severity: High
Bounty: $30,000 (Paid Jul-25–2022)
Status: Fixed

Summary: An attacker could use multiple accounts and manipulate contract prices in order to create profit in some accounts and bad debt in others, thereby draining funds from the protocol insurance fund.

2. Liquidation Accounting Bug

Source: ImmuneFi
Whitehat: ChainLight
Severity: Critical
Bounty: $100,000 (Paid Oct-03–2022)
Status: Fixed

Summary: If an attacker set up positions in an illiquid market and was able to intentionally get liquidated, funds could be drained from the protocol due to the liquidation penalty being paid by the insurance fund.

3. Liquidity Mining Wash Trading

Source: Direct
Whitehat: banditx0x
Severity: Medium
Bounty: $10,000 (Paid Sep-06–2022)
Status: Fixed

Summary: An attacker could add liquidity for a very short duration and with high concentration, resulting in outsized rewards with little/no market risk.

4. Order ID Malleability in Maker Liquidations

Source: ImmuneFi
Whitehat: ChainLight
Severity: Low
Bounty: $999 (Paid Aug-02–2022)
Status: Fixed

Summary: A liquidator could remove the wrong maker’s liquidity assuming the correct order was in the same range, and certain other conditions.

5. LP Position Value Exploit
Source: ImmuneFi
Whitehat: GothicShanon89238
Severity: Critical
Bounty: $250,000 (Paid Dec-23–2022)
Status: Fixed

Summary: An attacker could use the system’s calculation of account value to leverage highly concentrated liquidity, open positions and create bad debt in such a way that the attacker accounts profit from the debt.

6. DNS Record Exploit

Source: Direct
Whitehat: not public
Severity: Low
Bounty: $1000 (Paid Feb-14–2023)
Status: Fixed

Summary: An attacker could use old DNS records to take over domains or pages previously linked to third party platforms.

7. Bad Debt Attack

Source: ImmuneFi
Whitehat: ChainLight
Severity: Critical
Bounty: $10,000 (Paid Feb-16–2023)
Status: Fixed

Summary: This builds on 1. above, using more precise amounts and timing to circumvent some of the measures implemented to fix the initial vulnerability.

8. Subdomain Exploit

Source: Direct
Whitehat: not public
Severity: Low
Bounty: $1,500 (Paid Apr-05–2023)
Status: Fixed

Summary: An unused subdomain could be taken over, and since some users had previously connected their wallets, a variety of phishing attacks were plausible.

9. Mark Price Calculation Vulnerability

Source: Direct
Whitehat: Pavel Anokhin
Severity: Medium
Bounty: $5,000 (Paid Mar-31–2023)
Status: Fixed

Summary: A planned update to the mark price calculation would have created a vulnerability to price manipulation, but was caught by a community member between the initial announcement and deployment.

10. Hot Tub Exploits

Source: Direct
Whitehat: Pavel Anokhin
Severity: Medium
Bounty: $5,000
Status: Fixed

Summary: A community member discovered exploits in Hot Tub while the vaults were in testing.

11. LP Fee Distribution Exploit

Source: ImmuneFi
Whitehat: GothicShanon89238
Severity: Critical
Bounty: $250,000 (Paid Sep-18–2023)
Status: Fixed

Summary: An attacker could exploit possible tick synchronization issues between the clearinghouse and underlying Uniswap v3 pools to cause surplus LP fee distribution and drain protocol funds.

As Defi builders and users, we all owe a debt to the hard work of whitehats from around the globe. We thank the Perpetual Protocol DAO and the community that stands behind it for the continued funding of bug bounties and external audits, and look forward to working to safeguard our mutual security for years to come.

--

--