NOCUST Smart Contracts Bug Bounty

We believe that no technology is perfect, and working with skilled security researchers is crucial in identifying weaknesses in our technology. As such, a bug bounty for Liquidity Network’s NOCUST smart contracts is now live to encourage hackers to find for smart contract vulnerabilities.

Rewards

Findings will be scored based on the impact and the cost of executing the attack:

Major – Reward: $1000 – $10000

  • Double spending
  • Protocol design flaws
  • Critical smart-contract vulnerabilities allowing to steal all funds

Medium – Reward: $500 – $1,000

  • Denial of service
  • Halting the Commit-chain
  • Lock other users funds/Blocking withdrawals

Low – Reward: $100-$500

  • Degradation of user experience
  • Unexpected smart-contract behaviour not necessarily leading to a critical vulnerability

Prizes will be awarded at the sole discretion of Liquidity Network. Quality of the report and reproduction instructions can impact the prize. Rewards will be paid out in LQD or ETH.

For this initial bug bounty program, there is a maximum bounty pool of $20,000.

The bug bounty program will run for a minimum of three months, starting May 27, 2019.

Reporting

To report a vulnerability, please write an email to contact@liquidity.network with [BUG BOUNTY] in the subject of the email.

Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.

  • A good description of the bug
  • A description of the attack scenario
  • The impact of this scenario
  • Any other necessary components (code, tools, accounts, etc.)
  • Any other details that might be helpful
  • A potential resolution or fix. Giving examples is always beneficial!

We will make our best effort to reply promptly and provide a timeline for resolution.

Scope

The scope for the bug bounty is within the NOCUST smart contract.

https://github.com/liquidity-network/nocust-contracts-solidity

Resources

Liquidity Network Client Library: https://docs.liquidity.network/

NOCUST paper: https://eprint.iacr.org/2018/642.pdf

For any questions, feel free to ask at Liquidity Developer Telegram group: https://t.me/liquiditydevelopers

Eligibility

Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first submitted one will get the prize.

Public disclosure of the vulnerability, before the explicit consent from Liquidity Network, will make the vulnerability ineligible for a reward.

DISCLAIMER: Timelines and roadmap details mentioned are subject to change. Please look for our official communications on liquidity.network and subscribe to our update emails. There is a lag on uploads. This message is not an endorsement or recommendation for Liquidity Network, any cryptocurrency, or investment product. Neither the information nor any opinion contained in this message constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s