You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Critical Bugs: 100 ETH
for bugs that enable stealing a high amount of user funds or add malicious items to the registry.
Major Bugs: 50 ETH
for bugs that can lock user funds or enable stealing a low but non negligible amount of user funds or remove legit items from the registry.
Minor Bugs: 5 ETH
for smaller bugs which can still produce a non negligible amount of harm to users.
Those contracts are already deployed. If you find a bug you can send a bug report to clement@kleros.io. Do not submit a vulnerability there before getting the written agreement that a submission can be done or that your vulnerability has been rejected. This is in order to let us fix potential issue before they go public. Reports made public before us having time to respond would not result in payment of rewards. In case of dispute about the classification of a bug, Kleros will be used to resolve it.
Generalized Token Curated Registry
The generalized token curated registry is a curated list which can be created by users from a simple graphic interface.
There is a factory to create curated registries.
A requester can request an item to be added by putting a deposit.
If no one complains within the time limit, the item is added and the deposit refunded.
A challenger who believes this item does not belong to this list can pay a deposit, this creates a dispute.
An arbitrator will settle this dispute.
If the arbitrator rules for the submitter, the item will be added and the submitter will get the deposits minus arbitration fees.
If arbitrator rules for the challenger, the item will be removed and the challenger will get the deposits minus arbitration fees.
There is an appeal mechanism.
There are appeal fees. A deposit must be paid by each side. The deposit of winning side is reimbursed. The deposit of the losing side is used to pay arbitration fees and to compensate the winning side.
The side currently losing must pay its fees during the first half of the appeal period.
If a side does not pay its fees, it is assumed to have lost the dispute.
Items can be removed through a similar mechanism.
Bounty
Smart Contract Guidelines
We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).
Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).
Bounty Rules
If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
All this code is provided under MIT license and can be reused by other projects. If you do, don't hesitate to inform us and we may list your deployed contracts in the @deployed of the RAB pragma.
Good luck hunting and have fun hunting!
The text was updated successfully, but these errors were encountered:
clesaege
changed the title
[Bug Bounty: up to 25 ETH] Generalized Token Curated Registry
[Bug Bounty: up to 100 ETH] Generalized Token Curated Registry
Jun 3, 2020
Generalized Token Curated Registry Bounties
This is a bug bounty on the generalized token curated registry contract and its factory contract.
Bugs are rewarded up to 100 ETH according to this classification:
for bugs that enable stealing a high amount of user funds or add malicious items to the registry.
for bugs that can lock user funds or enable stealing a low but non negligible amount of user funds or remove legit items from the registry.
for smaller bugs which can still produce a non negligible amount of harm to users.
Those contracts are already deployed. If you find a bug you can send a bug report to clement@kleros.io. Do not submit a vulnerability there before getting the written agreement that a submission can be done or that your vulnerability has been rejected. This is in order to let us fix potential issue before they go public. Reports made public before us having time to respond would not result in payment of rewards. In case of dispute about the classification of a bug, Kleros will be used to resolve it.
Generalized Token Curated Registry
The generalized token curated registry is a curated list which can be created by users from a simple graphic interface.
Bounty
Smart Contract Guidelines
We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).
Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).
Bounty Rules
The text was updated successfully, but these errors were encountered: