AIP-134: Bug Bounty Program for AIP-21 Updates

austin · November 13, 2022, 10:59pm

Yeah great question. These are bug reports from the whitehat hackers. We’ve reviewed all of them. No submissions have been accepted yet so no payouts have occurred, but we’ll keep the community updated if anything changes!

Vulkan · November 13, 2022, 11:12pm

Great, thanks for the detailed clarification!

CryptoLogically · November 15, 2022, 6:38pm

I appreciate the updates here.

When you refer to “users,” we are talking about anyone choosing to stake their $APE (and NFT/s if applicable), correct? So there will be a two week window of Mainnet staking prior to the accumulation of $APE rewards, as I understand it.

Is there any incentive, aside from those simply looking to immediately contribute to the smooth functioning of the protocol, for Users to NOT simply start staking their $APE on 12/8, after the Bug Bounty process has concluded?

I’m just hoping to be able to explain this to others as there appears to be a bit of confusion amongst those not engaged in these conversations.

Moonlyght · November 15, 2022, 8:03pm

Hey CryptoLogically!

I believe the 2 week window is for people to move funds to their wallets and take their time (I’ve heard this from the Horizen team on Spaces and the Youtube video), rewards should start from the 12th of December, whether you stake on the 28th of November or the 12th of December nothing will be different for rewards.

CryptoLogically · November 15, 2022, 8:06pm

Thanks Moonlyght! Much appreciated.

withoutname · November 18, 2022, 7:20am

@austin Hi Austin , can I ask if any submissions was accepted & if any of these was marked as critical?

Thank you,
-withoutname

austin · November 18, 2022, 4:54pm

Hey good timing - we’re going to post an update from @llama right now.

llama · November 18, 2022, 5:05pm

Hi everyone - the bug bounty program has now been live for over a week. This testnet version will last until the mainnet staking deployment on 11/24. We will then launch a new program for the mainnet staking contract.

So far we’ve received 19 submissions from whitehat hackers:

17 of those submissions are closed and have been determined to not be eligible
1 submission is still under review
1 submission uncovered a medium severity bug in the contract and the hacker is being paid $2,500 in APE. This bug was medium severity because it did not put any user funds at risk. It solely could have been used to delay a user’s withdrawal process (without any benefit to the exploiter).

We’ll post details on all the bugs at the end of the program, but happy to answer any specific questions in the meantime. We’re happy to see that the bounty program worked as intended and is helping ensure stakers have the safest experience possible.

withoutname · November 18, 2022, 5:24pm

Thanks for updating us @llama @austin

llama · November 22, 2022, 4:24pm

Hi everyone - we’re now two days away from the end of the testnet bug bounty program. So far we’ve received 24 submissions from whitehat hackers:

21 of those submissions are closed and are not eligible for a reward
2 submissions are still under review
1 submission uncovered a medium severity bug (more details in previous post)

So since the last update we’ve received 5 submissions, 3 of those have been closed and 2 are still under review. Let us know if you have any questions!

Moonlyght · November 22, 2022, 4:53pm

Thanks for the update llama!

withoutname · November 22, 2022, 4:55pm

Thanks for the update, @llama !

One question - this two submission under review looks ok or possibly something more critical? Not sure if you can update us about the possible importance of these two during ongoing checks. Just curious.

Thank you,
-withoutname

llama · November 22, 2022, 5:50pm

Neither would be critical and we expect to close both later today or tomorrow but we’re just confirming with additional tests first.

withoutname · November 22, 2022, 7:09pm

Cool, so lets

Koko · November 22, 2022, 7:29pm

Good thing we did a big bounty

AaronLeupp.eth · November 23, 2022, 9:09am

Loved learning about this on the @Amplify space on twitter thanks for much for all you guys shared and look forward to you guys keeping our DAO safe with your bug bounty programs!

llama · November 25, 2022, 4:27pm

We’ve now concluded the testnet bug bounty program. We are in contact with Horizen so we’ll be ready to begin the mainnet program on launch day. All submissions were tested, reproduced, and analyzed closely. We asked detailed questions to participants so we could ensure our decisions were correct. In total, we received 26 submissions during the program:

25 of those submissions were closed and determined to be ineligible for a reward
1 submission uncovered a medium severity bug

The medium severity bug could’ve potentially delayed users ability to claim funds. Horizen has already worked on a fix and the auditors are performing a reaudit. Let us know if you have any questions!

dyorjdr · November 25, 2022, 5:20pm

Thanks for informations

Mcdo · November 27, 2022, 8:33am

Thank you for the info!

llama · December 7, 2022, 1:15am

As I’m sure most of you saw, the staking contract was deployed yesterday! We’re going to launch the mainnet version of the bug bounty program shortly.

I’ll post here once that’s live. As always, let us know if you have any questions.