Reality Check Bug Bounty
Last year we announced our on-chain smart contract oracle system, Reality Check, which we described as Snopes meets mechanical Turk on a blockchain.
We’ve completed our audit and we’re announcing a bug bounty for the smart contracts and documentation, as of commit 19d72f85f821c3e27400fc0f3514b9bddb64ae59.
It covers the following contracts:
It also covers the documentation under docs/, the compiled version of which you can find here.
This bounty will be open until May 29th, 2018.
All bounties will be paid in ETH. We will pay, depending on severity:
- Up to 20 ETH for bugs that allow stealing user funds
- Up to 10 ETH for bugs that lock user funds
- Up to 10 ETH for bugs that result in the system reporting an incorrect answer, when its rules should result in it reporting a correct answer
- Up to 1 ETH for serious errors and omissions in the documentation that mislead users.
Our total budget, in the event that the contracts turn out to be riddled with serious bugs that we and our auditor missed, is 100 ETH.
Note that where documentation is concerned we will be quite strict about our definition of “serious”. Our documentation isn’t written for the hostile reader, and isn’t designed as a substitute for reading the code, so we’re not looking for legalistic nit-picking. However, it should give thorough, fair-minded readers an accurate general idea of what the contract does and what to expect when they interact with it.
We have also written a prototype DApp which can help you see how the application is supposed to work, but the DApp is not part of the scope of our current bug bounty. However, we do appreciate bug reports.
Issues that are not critical to the contract’s security or functionality (style issues, gas optimizations) are also not eligible.
Awards of bounties are at the sole and final discretion of the Reality Check team.
About arbitrators and the trust model
The system relies on the honesty of an “arbitrator” contract which will correctly report outcomes if paid a dispute fee.
See more about arbitrators here: https://realitykeys.github.io/realitycheck/docs/html/arbitrators.html
We provide a sample arbitrator contract based on a trusted third-party.
It’s not news to us that if the arbitrator contract is controlled by someone dishonest, incompetent or compromised, they can steal or lock user funds for the questions they arbitrate by incorrectly reporting answers, by incorrectly reporting who gave the last correct answer, or by various other means. However, we would pay for the following types of arbitrator-related bugs:
- If an arbitrator, using the contract of their choice, can lock or steal funds or otherwise alter the result for questions for which they are not the designated arbitrator selected when the question was posted.
- Bugs in our sample arbitrator contract, for example if it could be operated by someone who was not its owner, or arbitration would not work when the arbitrator tried to do it, or if the owner was unable to withdraw the funds they had earned by arbitration.
About timestamps
Our contracts usenowaka block.timestampfor time. Some automated tools like Oyente will warn that these can be fudged by miners. We are aware of this, and consider the that this is an acceptable risk given the likely length of the relevant times, and the unlikeliness that long periods will be fudged.
How to report
Bounties go to the first to report. You can report issues by posting them here:
https://github.com/realitykeys/realitycheck/issues
We will trust GitHub to correctly timestamp issues so we know who reported things first.
Please feel free to jump on our Gitter channel if you want help understanding the system or how the contract is supposed to work.
Happy hunting!
