Bancor V2 Bug Bounty - Up to $54K in awards

Question

Bancor V2 Bug Bounty - Up to $54K in awards

yudilevi opened this issue 4 years ago · comments

As the launch of version 2 of the Bancor Protocol approaches, we are announcing the Bancor V2 Bug Bounty.
This public bounty program supports the ongoing professional audits and formal verification of Bancor V2 contracts.
Awards for bugs discovered in the first two weeks of this program (July 16-July 30, 2020) will receive a 20% bonus.

Submit a report to: bugbounty@bancor.network.
Join the Bancor Developers Telegram Channel: https://t.me/bancordevelopers
TestNet deployments of the Bancor Ropsten contracts will be deployed in the coming days.

Scope

The Bancor V2 Bug Bounty is limited to vulnerabilities affecting the Bancor Protocol smart contracts in this repository.

The following are not within the scope of the bounty program:

Bugs in any third party contract or platform that interacts with Bancor V2
Any previously reported or known bugs
Vulnerabilities already reported and/or discovered in contracts built by third parties on Bancor V2

Rewards

The severity of bugs will be assessed under the CVSS Risk Rating.

Awards for bugs discovered July 16–30 2020:

Critical (9.0–10.0): Up to $54,000
High (7.0–8.9): Up to $14,400
Medium (4.0–6.9): Up to $4,800
Low (0.1–3.9): Up to $1,800

Awards for bugs discovered after 12:00AM GMT July 30 2020:

Critical (9.0–10.0): Up to $45,000
High (7.0–8.9): Up to $12,000
Medium (4.0–6.9): Up to $4,000
Low (0.1–3.9): Up to $1,500

Rewards will be determined based on the impact of the discovered vulnerability as well as the level of difficulty in reproducing the vulnerability.

Disclosure Requirements

Any vulnerability or bug discovered must be reported only to the following email: bugbounty@bancor.network. The bug must not be disclosed publicly or to any other person, entity or email address other than bugbounty@bancor.network.

Please include as much detail about the vulnerability as possible including:

Conditions on which reproducing the bug is contingent.
Steps needed to reproduce the bug or, preferably, a proof of concept.
Implications of the vulnerability being abused.

Any bug reporter who reports a previously unreported bug that results in a change to the code or a configuration change and who keeps the vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.

Eligibility

To be eligible for a reward in the Bancor V2 Bug Bounty, you must:

Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock of any token on Bancor V2 (but not on any third party platform interacting with Bancor V2) and that is within the Scope mentioned above.
Be the first to disclose the unique vulnerability to bugbounty@bancor.network, in compliance with the Disclosure Requirements above.
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under the Bug Bounty).
Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of Bancor V2.
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under the bounty program.
Not be one of our current or former employees, vendors, or contractors or an employee of any of those vendors or contractors.

Other Terms

All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.
The terms and conditions of the Bancor V2 Bug Bounty may be altered at any time.

Gitcoin.co Bot · Answer 1 · Sun Jul 19 2020 20:11:59 GMT+0800 (China Standard Time)

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 0.001 BNT attached to it as part of the adambancor fund.

If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
Want to chip in? Add your own contribution here.
Questions? Checkout Gitcoin Help or the Gitcoin Chat
$324,268.58 more funded OSS Work available on the Gitcoin Issue Explorer

Gitcoin.co Bot · Answer 2 · Mon Jul 20 2020 03:05:05 GMT+0800 (China Standard Time)

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work has been started.

These users each claimed they can complete the work by 1 year, 7 months ago.
Please review their action plans below:

1) lotfy2 has started work.

I will try to do my best to test the Bancor V2
2) lotfy2 has started work.

I will try to do my best to test the Bancor V2
3) thomas191919 has started work.

I will try to do
My best to test bancor V2
4) jnuno98 has started work.

Will analyse the code with a formal methods point of view and start discovering bugs

Learn more on the Gitcoin Issue Details page.