AIP-134: Bug Bounty Program for AIP-21 Updates

Yeah great question. These are bug reports from the whitehat hackers. We’ve reviewed all of them. No submissions have been accepted yet so no payouts have occurred, but we’ll keep the community updated if anything changes!

8 Likes

Great, thanks for the detailed clarification!

4 Likes

I appreciate the updates here.

When you refer to “users,” we are talking about anyone choosing to stake their $APE (and NFT/s if applicable), correct? So there will be a two week window of Mainnet staking prior to the accumulation of $APE rewards, as I understand it.

Is there any incentive, aside from those simply looking to immediately contribute to the smooth functioning of the protocol, for Users to NOT simply start staking their $APE on 12/8, after the Bug Bounty process has concluded?

I’m just hoping to be able to explain this to others as there appears to be a bit of confusion amongst those not engaged in these conversations.

6 Likes

Hey CryptoLogically!

I believe the 2 week window is for people to move funds to their wallets and take their time (I’ve heard this from the Horizen team on Spaces and the Youtube video), rewards should start from the 12th of December, whether you stake on the 28th of November or the 12th of December nothing will be different for rewards.

6 Likes

Thanks Moonlyght! Much appreciated.

4 Likes

@austin Hi Austin :wave:, can I ask if any submissions was accepted & if any of these was marked as critical?

Thank you,
-withoutname

5 Likes

Hey good timing - we’re going to post an update from @llama right now.

5 Likes

Hi everyone - the bug bounty program has now been live for over a week. This testnet version will last until the mainnet staking deployment on 11/24. We will then launch a new program for the mainnet staking contract.

So far we’ve received 19 submissions from whitehat hackers:

  • 17 of those submissions are closed and have been determined to not be eligible
  • 1 submission is still under review
  • 1 submission uncovered a medium severity bug in the contract and the hacker is being paid $2,500 in APE. This bug was medium severity because it did not put any user funds at risk. It solely could have been used to delay a user’s withdrawal process (without any benefit to the exploiter).

We’ll post details on all the bugs at the end of the program, but happy to answer any specific questions in the meantime. We’re happy to see that the bounty program worked as intended and is helping ensure stakers have the safest experience possible.

13 Likes

Thanks for updating us @llama @austin :+1::raised_hands:

8 Likes

Hi everyone - we’re now two days away from the end of the testnet bug bounty program. So far we’ve received 24 submissions from whitehat hackers:

  • 21 of those submissions are closed and are not eligible for a reward
  • 2 submissions are still under review
  • 1 submission uncovered a medium severity bug (more details in previous post)

So since the last update we’ve received 5 submissions, 3 of those have been closed and 2 are still under review. Let us know if you have any questions!

10 Likes

Thanks for the update llama!

3 Likes

Thanks for the update, @llama !

One question - this two submission under review looks ok or possibly something more critical? Not sure if you can update us about the possible importance of these two during ongoing checks. Just curious.

Thank you,
-withoutname

7 Likes

Neither would be critical and we expect to close both later today or tomorrow but we’re just confirming with additional tests first.

9 Likes

Cool, so lets :crossed_fingers: :+1:

4 Likes

Good thing we did a big bounty :blush:

6 Likes

Loved learning about this on the @Amplify space on twitter thanks for much for all you guys shared and look forward to you guys keeping our DAO safe with your bug bounty programs!

3 Likes

We’ve now concluded the testnet bug bounty program. We are in contact with Horizen so we’ll be ready to begin the mainnet program on launch day. All submissions were tested, reproduced, and analyzed closely. We asked detailed questions to participants so we could ensure our decisions were correct. In total, we received 26 submissions during the program:

  • 25 of those submissions were closed and determined to be ineligible for a reward

  • 1 submission uncovered a medium severity bug

The medium severity bug could’ve potentially delayed users ability to claim funds. Horizen has already worked on a fix and the auditors are performing a reaudit. Let us know if you have any questions!

10 Likes

Thanks for informations

Thank you for the info!