Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Bounty: up to 100 ETH] Generalized Token Curated Registry #20

Open
clesaege opened this issue Mar 16, 2020 · 0 comments
Open

[Bug Bounty: up to 100 ETH] Generalized Token Curated Registry #20

clesaege opened this issue Mar 16, 2020 · 0 comments
Labels

Comments

@clesaege
Copy link
Member

clesaege commented Mar 16, 2020

Generalized Token Curated Registry Bounties

This is a bug bounty on the generalized token curated registry contract and its factory contract.
Bugs are rewarded up to 100 ETH according to this classification:

  • Critical Bugs: 100 ETH
    for bugs that enable stealing a high amount of user funds or add malicious items to the registry.
  • Major Bugs: 50 ETH
    for bugs that can lock user funds or enable stealing a low but non negligible amount of user funds or remove legit items from the registry.
  • Minor Bugs: 5 ETH
    for smaller bugs which can still produce a non negligible amount of harm to users.

Those contracts are already deployed. If you find a bug you can send a bug report to clement@kleros.io. Do not submit a vulnerability there before getting the written agreement that a submission can be done or that your vulnerability has been rejected. This is in order to let us fix potential issue before they go public. Reports made public before us having time to respond would not result in payment of rewards. In case of dispute about the classification of a bug, Kleros will be used to resolve it.

Generalized Token Curated Registry

The generalized token curated registry is a curated list which can be created by users from a simple graphic interface.

  • There is a factory to create curated registries.
  • A requester can request an item to be added by putting a deposit.
  • If no one complains within the time limit, the item is added and the deposit refunded.
  • A challenger who believes this item does not belong to this list can pay a deposit, this creates a dispute.
  • An arbitrator will settle this dispute.
    • If the arbitrator rules for the submitter, the item will be added and the submitter will get the deposits minus arbitration fees.
    • If arbitrator rules for the challenger, the item will be removed and the challenger will get the deposits minus arbitration fees.
  • There is an appeal mechanism.
    • There are appeal fees. A deposit must be paid by each side. The deposit of winning side is reimbursed. The deposit of the losing side is used to pay arbitration fees and to compensate the winning side.
    • The side currently losing must pay its fees during the first half of the appeal period.
    • If a side does not pay its fees, it is assumed to have lost the dispute.
  • Items can be removed through a similar mechanism.

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).

Bounty Rules

  • If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
  • This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
  • All this code is provided under MIT license and can be reused by other projects. If you do, don't hesitate to inform us and we may list your deployed contracts in the @deployed of the RAB pragma.
  • Good luck hunting and have fun hunting!
@clesaege clesaege added the Bounty 💰 Bounty label Mar 16, 2020
@clesaege clesaege changed the title [Bug Bounty: up to 25 ETH] Generalized Token Curated Registry [Bug Bounty: up to 100 ETH] Generalized Token Curated Registry Jun 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant