-
Feb 05 2017 - /u/JonnyLatte, the original TokenTraderFactory author, has found a bug in the TokenTraderFactory code when it interacts with the ๐ฆ โ Unicorn token where the natural unit is 1.
Here are the diffs of the fixed bug in in
TokenTraderFactoryandTokenSellerFactory
-
Feb 14 2017 - Bartosz Ocytko has found an overflow condition that allows the GNTTokenTrader, TokenTrader and TokenSeller contracts to exchange the tokens for very little ethers. The conditions for this situation to occur are very very unlikely as it requires:
- the ERC20 token supply to be at least
2^256 - 1 - the Maker creates a TokenTrader or TokenSeller contract with
sellPrice = 2^256 - 1andunits = 1 - the Maker transfers
2^256 - 1tokens to the newly created contract
All the existing GNTTokenTrader, TokenTrader and TokenSeller contracts as listed on the https://cryptoderivatives.market/ site are safe from the overflow bug described above as:
- The are no tokens with supply
2^256 - 1 - If there was a token with supply
2^256 - 1, it is even more unlikely that the Maker would own this whole amount - The GNTTokenTrader, TokenTrader and TokenSeller with
sellPrice = 2^256 - 1will automatically get filtered out from the existing "reasonableness" checks
Following is Ocytko's email detailing the overflow conditions:
For his efforts of pointing out this condition and suggesting a fix, 40 ETH has been awarded to Bartosz. Thanks Bartosz for auditing the contracts and helping keep it safe!
- the ERC20 token supply to be at least
-
Sep 23 2017 - softestcore found a "minor" vulnerability in a separate bug bounty and has been awarded 3 ETH. Details will be included after the upstream owners of the source have been fully informed and have had time to rectify this issue if necessary.
-
Feb 9 2018 - Audit by Oleksii Matiiasevych identified a major bug #5 Incorrect parameter passed to ApproveAndCallFallBack() function and has been awarded 15 ETH.
-
Mar 8 2019 - Rob Hitchens submitted a set of performance and readability improvements to BokkyPooBah's Red-Black Binary Search Tree Library and has been awarded 5 ETH.
-
Mar 14 2019 - Steve Marx found an Incorrect comment on fee refund #1
-
Mar 14 2019 - Alexey Pertsev queried potential malicious behaviour with
approveAndCall(...)resulting in Add warnings toapproveAndCall(...)andreceiveApproval(...)#2. Alexey also provided minor Cosmetics includingaddress payable#3 recommendations.
-
{{Your Name Here?}}
Bok Consulting Pty Ltd is offering a 30 ETH bug bounty across the smart contracts in the following projects, with the scope defined in each project:
- BokkyPooBah's Red-Black Binary Search Tree Library
- BokkyPooBah's Gas-Efficient Solidity DateTime Library
- BokkyPooBah's Token Teleportation Service Smart Contract
- Fixed Supply Token ๐ Contract + Factory
Please DM any submissions to BokkyPooBah @ Reddit or BokkyPooBah @ Twitter.
- Previously submitted or known bugs are not eligible for bounty rewards
- Public disclosure of a vulnerability makes it ineligible for a bounty
- You can deploy the contracts on your private chain for bug hunting. Please respect the Ethereum Mainnet and Testnets and refrain from attacking them
- The value of rewards paid out will depend on the severity of the bugs found. Determinations of this amount is at the sole and final discretion of the Bok Consulting Pty Ltd but we will try to be fair
Any donations to 0xb6dAC2C5A0222f6794265249ACE15568B750c2d1 between the period of Jan to Jun 2019 will be added to this bug bounty program.
If you want to support the development of decentralised applications, please consider donating to the address above.
Alternatively, consider donating to the Decentralised Future Fund multisig at 0xb5fbae0361855617c58EF95a186889f0122e6642 with funds used to promote decentralisation. In 2018, the DFF provided the funds for 10 individuals to attend EdCon 2018, Consensus 2018, the Web3 Summit and Devcon4 conferences.
And the following donations (thanks) are included in this bug bounty:
Enjoy!
(c) BokkyPooBah / Bok Consulting Pty Ltd - Mar 13 2019. The MIT Licence.