Skip to content

bokkypoobah/BokkyPooBahsHallOfFameAndBugBounties

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
 
 
 
 
 
 
 
 

Repository files navigation



BokkyPooBah's Hall Of Fame

  1. Feb 05 2017 - /u/JonnyLatte, the original TokenTraderFactory author, has found a bug in the TokenTraderFactory code when it interacts with the 🦄 ‐ Unicorn token where the natural unit is 1.

    Here are the diffs of the fixed bug in in TokenTraderFactory and TokenSellerFactory

  2. Feb 14 2017 - Bartosz Ocytko has found an overflow condition that allows the GNTTokenTrader, TokenTrader and TokenSeller contracts to exchange the tokens for very little ethers. The conditions for this situation to occur are very very unlikely as it requires:

    • the ERC20 token supply to be at least 2^256 - 1
    • the Maker creates a TokenTrader or TokenSeller contract with sellPrice = 2^256 - 1 and units = 1
    • the Maker transfers 2^256 - 1 tokens to the newly created contract

    All the existing GNTTokenTrader, TokenTrader and TokenSeller contracts as listed on the https://cryptoderivatives.market/ site are safe from the overflow bug described above as:

    • The are no tokens with supply 2^256 - 1
    • If there was a token with supply 2^256 - 1, it is even more unlikely that the Maker would own this whole amount
    • The GNTTokenTrader, TokenTrader and TokenSeller with sellPrice = 2^256 - 1 will automatically get filtered out from the existing "reasonableness" checks

    Following is Ocytko's email detailing the overflow conditions:

    For his efforts of pointing out this condition and suggesting a fix, 40 ETH has been awarded to Bartosz. Thanks Bartosz for auditing the contracts and helping keep it safe!

  3. Sep 23 2017 - softestcore found a "minor" vulnerability in a separate bug bounty and has been awarded 3 ETH. Details will be included after the upstream owners of the source have been fully informed and have had time to rectify this issue if necessary.

  4. Feb 9 2018 - Audit by Oleksii Matiiasevych identified a major bug #5 Incorrect parameter passed to ApproveAndCallFallBack() function and has been awarded 15 ETH.

  5. Mar 8 2019 - Rob Hitchens submitted a set of performance and readability improvements to BokkyPooBah's Red-Black Binary Search Tree Library and has been awarded 5 ETH.

  6. Mar 14 2019 - Steve Marx found an Incorrect comment on fee refund #1

  7. Mar 14 2019 - Alexey Pertsev queried potential malicious behaviour with approveAndCall(...) resulting in Add warnings to approveAndCall(...) and receiveApproval(...) #2. Alexey also provided minor Cosmetics including address payable #3 recommendations.

  8. {{Your Name Here?}}



Active Bug Bounties

Bok Consulting Pty Ltd is offering a 30 ETH bug bounty across the smart contracts in the following projects, with the scope defined in each project:

Please DM any submissions to BokkyPooBah @ Reddit or BokkyPooBah @ Twitter.


Rules And Rewards

  • Previously submitted or known bugs are not eligible for bounty rewards
  • Public disclosure of a vulnerability makes it ineligible for a bounty
  • You can deploy the contracts on your private chain for bug hunting. Please respect the Ethereum Mainnet and Testnets and refrain from attacking them
  • The value of rewards paid out will depend on the severity of the bugs found. Determinations of this amount is at the sole and final discretion of the Bok Consulting Pty Ltd but we will try to be fair

Donations

Any donations to 0xb6dAC2C5A0222f6794265249ACE15568B750c2d1 between the period of Jan to Jun 2019 will be added to this bug bounty program.

If you want to support the development of decentralised applications, please consider donating to the address above.

Alternatively, consider donating to the Decentralised Future Fund multisig at 0xb5fbae0361855617c58EF95a186889f0122e6642 with funds used to promote decentralisation. In 2018, the DFF provided the funds for 10 individuals to attend EdCon 2018, Consensus 2018, the Web3 Summit and Devcon4 conferences.


And the following donations (thanks) are included in this bug bounty:



Enjoy!

(c) BokkyPooBah / Bok Consulting Pty Ltd - Mar 13 2019. The MIT Licence.