Immunefi
Immunefi
Back to Explore
IOP | ThunderNFT-logo

IOP | ThunderNFT

|

ThunderNFT's Invite-Only Program is a form of Boost which is exclusively accessible to a select group of security researchers who have submitted at least 1 valid report during Fuel Attackathon event. These researchers will share a flat reward pool for every valid bug found.

Fuel Network
Sway

Evaluating

10d: 13h remaining
Max Bounty
$65,000
Rewards Pool
$65,000
Vault TVL
To be determined
Started
12 August 2024
Ended
02 September 2024
Rewards Token
USDC
nSLOC
1,806

  • Triaged by Immunefi

  • PoC required

InformationScopeResources

Resources & Documentation

ThunderNFT’s up to date codebase can be found at https://github.com/ThunderFuel/smart-contracts/tree/main/contracts-v1.

Whitehat Educational Resources & Technical Info

Is this an upgrade of an existing system? If so, which? And what are the main differences?

The system takes reference from LooksRare v.1. Kinda an upgrade. Not an exact fork, the architecture logic is a fork. ~50% of it is a fork. Only borrows from LooksRare.

The big differences are the onchain part, listing/bidding/making offers/etc are all onchain, for LooksRare this is offchain. There is no wETH. Instead it implements a pool similar to Blur.

NFTs on Fuel are native assets on Fuel. Unlike on other marketplaces, NFTs need to be deposited into smart contracts.

Where do you suspect there may be bugs? Useful aspects of this question are:

  • Which parts of the code are you most concerned about?
  • What attack vectors are you most concerned about?
  • Which part(s) of the system do you want whitehats to attempt to break the most?
  • Are there any assumed invariants that you want whitehats to attempt to break?

Bugs related to when users need to deposit NFTs into the smart contracts. This is new and could have bugs because of its newness.

There could be a bug related to the distribution of royalties in the Royalty Manager contract.

Mostly concerned about an attack vector in Pool contract where users deposit ETH for bidding. And also, most concerned about Thunder Exchange contract where users deposit their NFTs into this contract for listing.

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

No, ThunderNFT doesn’t rely solely on monitoring, they want to reward bugs for being solved.

What external dependencies are there?

Sway libraries & standards

Are there any unusual points about your protocol that may confuse whitehats?

Sway language. NFTs as a native assets like ETH. More information on this: https://docs.fuel.network/docs/sway/blockchain-development/native_assets/ Every action on the marketplace is onchain such as listing, offer, cancel listing/offer, etc. which is different from other marketplaces like OpenSea or LooksRare Fuel Scripts that execute order-book listings & transactions, which bundle many txs into one. Resource on Fuel Scripts: https://docs.fuel.network/docs/sway/sway-program-types/scripts/

What is the test suite setup information?

https://docs.fuel.network/docs/sway/testing/

Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

  • In the Thunder Exchange contract, cancel_order function does not revert if the order already cancelled.
  • MakerOrder (an order used for listing/offer) has an expiration range. It may lead to stuck of deposited NFTs. Anything related to expiration of a MakerOrder (e.g. start_time, end_time, setter functions) will be removed later on. All associated reports will be considered as out-of-scope.
  • Contracts outside of the Thunder Exchange cannot interact with the platform’s contract for listing, purchaing, etc. Only Addresses can.
  • withdraw_all function in the pool contract may revert/break. Will be removed. All associated reports will be considered as out-of-scope.

Previous Audits

ThunderNFT did not have any audits to this date.

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

Known Issue Assurance

ThunderNFT commits to providing Known Issue Assurance to bug submissions through their program. This means that ThunderNFT will either disclose known issues publicly, or at the very least, privately via a self-reported bug submission.

In a potential scenario of a mediation, this allows for a more objective and streamlined process, in order to prove that an issue is known. Otherwise, assuming the bug report is valid, it would result in the report being considered as in-scope, and due a reward.

Primacy of Impact vs Primacy of Rules

ThunderNFT adheres to the Primacy of Impact for all impacts.

Primacy of Impact means that the impact is prioritized rather than a specific asset. This encourages security researchers to report on all bugs with an in-scope impact, even if the affected assets are not in scope. For more information, please see Best Practices: Primacy of Impact.

When submitting a report on Immunefi’s dashboard, the security researcher should select the Primacy of Impact asset placeholder. If the team behind this project has multiple programs, those other programs are not covered under Primacy of Impact for this program. Instead, check if those other projects have a bug bounty program on Immunefi.

If the project has any testnet and/or mock files, those will not be covered under Primacy of Impact.

All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms and conditions set within this program

Details
Resources