We believe that no technology is perfect, and working with skilled security researchers is crucial in identifying weaknesses in our technology. As such, a bug bounty for Liquidity Network’s NOCUST smart contracts is now live to encourage hackers to find for smart contract vulnerabilities.
Findings will be scored based on the impact and the cost of executing the attack:
Major – Reward: $1000 – $10000
- Double spending
- Protocol design flaws
- Critical smart-contract vulnerabilities allowing to steal all funds
Medium – Reward: $500 – $1,000
- Denial of service
- Halting the Commit-chain
- Lock other users funds/Blocking withdrawals
Low – Reward: $100-$500
- Degradation of user experience
- Unexpected smart-contract behaviour not necessarily leading to a critical vulnerability
Prizes will be awarded at the sole discretion of Liquidity Network. Quality of the report and reproduction instructions can impact the prize. Rewards will be paid out in LQD or ETH.
For this initial bug bounty program, there is a maximum bounty pool of $20,000.
The bug bounty program will run for a minimum of three months, starting May 27, 2019.
To report a vulnerability, please write an email to firstname.lastname@example.org with [BUG BOUNTY] in the subject of the email.
Please include a detailed report on the vulnerability with clear reproduction steps. The quality of the report can impact the reward amount.
- A good description of the bug
- A description of the attack scenario
- The impact of this scenario
- Any other necessary components (code, tools, accounts, etc.)
- Any other details that might be helpful
- A potential resolution or fix. Giving examples is always beneficial!
We will make our best effort to reply promptly and provide a timeline for resolution.
The scope for the bug bounty is within the NOCUST smart contract.
Liquidity Network Client Library: https://docs.liquidity.network/
NOCUST paper: https://eprint.iacr.org/2018/642.pdf
For any questions, feel free to ask at Liquidity Developer Telegram group: https://t.me/liquiditydevelopers
Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first submitted one will get the prize.
Public disclosure of the vulnerability, before the explicit consent from Liquidity Network, will make the vulnerability ineligible for a reward.
DISCLAIMER: Timelines and roadmap details mentioned are subject to change. Please look for our official communications on liquidity.network and subscribe to our update emails. There is a lag on uploads. This message is not an endorsement or recommendation for Liquidity Network, any cryptocurrency, or investment product. Neither the information nor any opinion contained in this message constitutes a solicitation or offer by the creators or participants to buy or sell any securities or other financial instruments or provide any investment advice or service.