Bounty Period: 2020.3–2020.6
Bounty Tasks
· Security and soundness of mov protocol (open-source code audit): Vapor mov branch
https://github.com/Bytom/vapor/tree/mov
· Security testing of OFMF cross-chain contract (code audit): for code see Appendix 1
· Server Security (Black-box Testing, Security of nodes and API, DDoS attack is not allowed)
· Security of mobile end (Black-box Testing, android, ios): Beta Tycoin ios downloading address: http://d.6short.com/Tycoin ;android downloading address: https://cdn.bytom.io/tycoin/Tycoin.apk
Bounty Instruction
· Security bugs must be newly found, not reported before
· In terms of chain code audit, security bugs found must be part of the Vapor code on Github, rather code on a third party
· You can find bugs on the test net or launch a private chain to look for bugs. Don’t attack the main net.
· In terms of Black-box Testing, please do the testing on the test server or Tycoin. Don’t attack the officially launched software.
· Any employee, contractor of Vapor project, as well as business partners of Bytom Foundation and its subsidiary cannot participate.
· Releasing bugs to the public will make you lose qualification for bounty
· Bytom team reserves the right of final decision on qualification, score and all items relevant to rewards
Rewards Details
Bug Rewards
The amount of rewards will be determined by the threatening level of bugs
Threatening levels of bugs: Severe, High, Middle, Low
Severe bugs, Rewards: 10000–20000 BTM
Severe bugs are those found in core business system and will cause enormous damage, including but not limited to:
MOV Protocol
1. Double spending, Consensus layer bug
2. Destroy other people’s assets intentionally
3. DDoS attack other full nodes at a small cost on communication layer
4. Use underlying bugs to manipulate price without investing money
Wallet Security
1. Private key leak
2. Forged Signature (Sign transactions successfully without the private key)
High level bugs, Rewards: 2000–10000 BTM
MOV Protocol:
1. Hack server to gain control through full nodes
2. Assets related unauthorized operation, Bypass payment logic (need to be successful)
3. Operation and risk control bugs: potential assets portfolio correlation risk, protocol management mechanism flaws, malicious manipulation of free markets, attacks without collaterals, and so on
Blockcenter Security
1. Hack server to gain control through API, manipulate price without investment
2. Tamper transaction information
OFMF Cross-chain Contract Security
1. Use bugs to cause cross-chain asset loss
OFMF Server Security
1. Affect OFMF’s crosschain, leading to cross-chain logic failure (eg. Crosschain to a non-corresponding address)
Middle level bugs, Rewards: 500–2000 BTM
1. Common unauthorized operation, including but not limited to changing user information and executing user operation bypassing restrictions
2. Service denial bug, including but not limited to service denial bugs causing website application service denial
3. Leak of locally stored sensitive authentication information (need to be used effectively)
Low level bugs, Rewards: 0–500 BTM
1. Local service denial bug, including but not limited to local service denial (break down caused by file format parse and protocol parse), problems caused by common application permission
2. Common information leak, including but not limited to web path traversal, system path traversal and directory browsing.
Required bug information:
· Description of the bug
· Attacking method, eg. test code, script and detailed explanation
Bug Submit
Happy hunting
Appendix 1: Contract Code
pragma solidity ^0.4.16;
contract Ownable {
address public owner;
/**
* @dev Throws if called by any account other than the owner.
*/
modifier onlyOwner() {
require(msg.sender == owner);
_;
}
/**
* @dev The Ownable constructor sets the original `owner` of the contract to the sender
* account.
*/
function Ownable() public {
owner = msg.sender;
}
/**
* @dev Allows the current owner to transfer control of the contract to a newOwner.
* @param newOwner The address to transfer ownership to.
*/
function transferOwnership(address newOwner) public onlyOwner {
if (newOwner != address(0)) {
owner = newOwner;
}
}
}
contract Pausable is Ownable {
bool public paused = false;
event Pause();
event Unpause();
/**
* @dev Modifier to make a function callable only when the contract is not paused.
*/
modifier whenNotPaused() {
require(!paused);
_;
}
/**
* @dev Modifier to make a function callable only when the contract is paused.
*/
modifier whenPaused() {
require(paused);
_;
}
/**
* @dev called by the owner to pause, triggers stopped state
*/
function pause() onlyOwner whenNotPaused public {
paused = true;
Pause();
}
/**
* @dev called by the owner to unpause, returns to normal state
*/
function unpause() onlyOwner whenPaused public {
paused = false;
Unpause();
}
}
contract Register is Pausable {
mapping(address => string) public registry;
function addUser(string vaporAddress) public whenNotPaused {
registry[msg.sender] = vaporAddress;
}
function OwnerChangeRegistry(address ethAddress,string vaporAddress) public onlyOwner {
registry[ethAddress] = vaporAddress;
}
function getVapor(address ethAddress) public constant returns (string) {
return registry[ethAddress];
}
}
