General Rules

• Participants must register and join our Github gated WarRoom and earn a SurgePass before submitting bugs for SurgePoints.
• Socket core team reserves the right to elect SocketSentinels. The SocketSurge Wave 1 program may be augmented by additional initiative or manual selection of SocketSentinels should Socket core team see fit until such time as a governance structure is instantiated for the protocol.
• We will also be airdropping a SurgePass NFT to people in the blockchain security community with obvious security bonafides
• The SurgePoints awarded per item will be as follows
  • Report a low severity vulnerability - 150 pts
  • Report medium vulnerability - 600 pts
  • Report high vulnerability - 2500 points
  • Exploit a LootBox - 3000 points
• Credit will be given only to the first address to report a given bug. We will use an onchain submission mechanism to establish ordering.
• The SocketSentinels roles ranking conferred at the end of Surge wave 1 will be a function of the SurgePoints you earned, with the breakdown as follows:
  • Paladin - top 5% of SurgePoints
  • Defender - top 25% of SurgePoints
  • Sentry - at least 600 SurgePoints
• We will host and update a Leaderboard throughout the Surge with the top scorers, to go live on May 1
• SocketSurge Wave 1 will run from 13:30 UTC on Monday, May 1st until 23:59 UTC on Wednesday May 31st, subject to change in the event of a protocol upgrade needed (we’ll communicate any changes publicly). All submissions for SurgePoints need to take place during that time.
• After Wave 1 is complete, we will open up the claim site for qualifying participants to mint their SocketSentinels avatar NFT and join the token-gated Discord channels.

Easter Egg Submission & minting SurgePass

On Monday, the Easter Egg contract will go live on Optimism (address will be updated here and announced in the WarRoom Discord on Monday). You will be able to use the claimFunction when the internal state of the protocol and our deployed smart contracts reaches a valid “Easter Egg” state. If valid, we will automatically mint you your SurgePass NFT in that same transaction.

Submitting a bug and claiming credit for breaking a Lootbox

On Monday, the ability to report a bug on-chain will go also live (address will be updated here on Monday) for all SurgePass NFT holders, allowing you to submit evidence of your bug by transacting with our submitBugFor contract with your submitter address, a string for the IPFS link and a string for the Github link as outlined in our bug submission formatting requirements below. We use the onchain system to establish ordering of who submitted any particular bug first.

Lootboxes are implemented as a vault of some amount of USDC on one chain and a SocketDL “Plug” smart contract on other chains which have access to “0” of the USDC in the vault. Compromising the SocketDL protocol would allow you to mutate this message, granting yourself the right to withdraw arbitrary USDC, thereby breaking the Lootbox. Any USDC you are able to “Loot” in this way is yours for the keeping, and to report your achievement for purposes of SurgePoints, you will submit it just like any other bug. For Lootboxes exploited, you submit it just like a bug, but do not need to include the IPFS and Github links.

We will then manually review these submissions and notify you privately via email and in the Socket WarRoom Discord if you have been awarded points for your submission.