Bug bounty programs allow developers to discover vulnerabilities in their applications by rewarding hackers that finds them. They are mostly held in the Web2 space, and, thus, rarely provide any form of payment guarantee to whitehats. As a result, developers are able to unfairly underpay whitehats, or even refuse to pay them.
To solve this issue, we have developed BugLess—a trustless bug bounty platform powered by Cartesi Rollups. Running inside a deterministic RISC-V machine that boots Linux, BugLess accepts applications written in any major programming language1. Through a friendly web interface, anyone can submit applications, and sponsor them with Ether to incentivize hackers! All major wallets are supported2. Meanwhile, hackers can test their exploits right on the browser, without even having to sign Web3 transactions! Once the hacker finds a valid exploit, they can finally send a transaction requesting the reward to be transferred to their account. If, however, no one is able to submit a valid exploit until a certain deadline, the sponsors may request a refund.
- Dependencies
- Presentation
- Back-end
- Building bounties
- Tests
- CLI
- Populating DApp
- Front-end
- Future Work
For your purposes, not all dependencies may be required. To help you figure out which dependencies you actually need, here is a table of dependencies for each part of the code base.
| Dependency | Presentation | Back-end | Examples | Tests | Populate | CLI | Front-end |
|---|---|---|---|---|---|---|---|
docker |
☑️ | ☑️ | ☑️ | ||||
go |
☑️ | ☑️ | ☑️ | ||||
jq |
☑️ | ||||||
lua |
☑️ | ||||||
npm |
☑️ | ||||||
sunodo |
☑️ | ☑️ | |||||
tar |
☑️ | ||||||
wget |
☑️ | ☑️ |
For more info about the project, check out the slides. To build the slides, run the following command:
make slides
make sunodo-sdk-image
sunodo buildsunodo run
Before testing, you need to compile bounties binaries.
make bountiesThe following bounties will be compiled and can be used for testing:
./tests/bounties/busybox-bounty/busybox-1.36.1-bounty_riscv64.tar.xz
./tests/bounties/lua-bounty/lua-5.4.3-bounty_riscv64.tar.xz
./tests/bounties/lua-bounty/lua-5.4.6-bounty_riscv64.tar.xz
./tests/bounties/sqlite-bounty/sqlite-3.32.2-bounty_riscv64.tar.xz
./tests/bounties/sqlite-bounty/sqlite-3.43.2-bounty_riscv64.tar.xz
Along with following exploits:
./tests/bounties/busybox-bounty/exploit-busybox-1.36.1.sh
./tests/bounties/lua-bounty/exploit-lua-5.4.3.lua
./tests/bounties/sqlite-bounty/exploit-sqlite-3.32.2.sql
Before running tests, make sure you built the image and bounties, you can build them with make all.
make testTo interact with the contract, you may use the BugLess CLI. For all the options, run the command below.
go run ./cli helpgo run ./cli statego run ./cli send dapp-addressgo run ./cli send bounty \
-n "Lua Bounty" \
-d "Description of Lua bounty" \
-c ./tests/bounties/lua-bounty/lua-5.4.3-bounty_riscv64.tar.xzgo run ./cli send sponsor -b 0 -n "Sponsor Name" -v 0.05go run ./cli send exploit \
-b 0 \
-n "Hacker Name" \
-e ./tests/bounties/lua-bounty/exploit-lua-5.4.3.luago run ./cli send withdraw -b 0go run ./cli test \
-b 0 \
-e ./tests/bounties/lua-bounty/exploit-lua-5.4.3.luaRun the following command to fill up the DApp with test data.
make populateTo run the frontend, execute the commands below.
cd frontend
npm install
npm run devOpen http://localhost:3000 in your browser.
The initial version of this project was developed in one week for the ETHOnline 2023 hackathon. During this one week, we had to design and implement a project from scratch. With this very tight schedule, some of the features were left out for later implementation. Below are some of those features.
- Support ENS
- Support other types of assets (ERC-20, ERC-721, and ERC-1155)
- Support syntax highlight on code blocks
- Add optional one-time setup phase for applications
- Add option to download bounty bundle
- Sandbox applications with Hypervisor