Try to break the DTX bridge, and earn a bounty!

Roderik van der Veer
DataBrokerDAO
Published in
5 min readAug 17, 2018

The DataBroker DAO platform will launch at the end of the summer. Currently, all DTX resides on the main net but our platform is built on top of a PoA network where all related contracts are stored. We are doing this to bypass any scalability and first use issues for our enterprise clients (ETH-DTX chicken and egg issue). Therefore, we require a secure way to let users transfer their DTX from the main net to our network for usage on the platform and back out again when they are done.

To achieve this, our team has created a bridge that is capable of transferring ERC20 tokens from a “Home” network to a “Foreign” network. For DataBroker DAO this means that the DTX token can be transferred between the main net and the DataBroker DAO network.

The bridge consists of three main parts:

· Validators

· Bridge contracts

· dApp

Validators

Validators are programs that act as middlemen between both networks. They catch transfer requests and sign it with their validator account. These signatures are sent to the foreign bridge (DataBroker network).

The validators use authorized accounts to sign requests. This prevents third parties from signing malicious requests. To ensure availability and security, multiple validators should be live at all times.

Bridge Contracts

These contracts keep track of requests and their signatures. A bridge contract exists on both networks. The foreign bridge does most of the heavy lifting, as our network has a fast block time and no gas costs. The home bridge is only used for executing a withdrawal.

Every request must be signed by a minimum number of validators (in the demo it’s only 1). When the threshold is reached, the request is granted.

Since there are no gas costs on our network, depositing is at no gas cost to the user. In a withdrawal, the final step is executed by the home bridge and thus costs gas. This means that the user has to perform this step and pay the associated gas cost (see dApp demo).

dApp

Although not necessary, the dApp provides an accessible way for users to make use of the bridge. Currently, you can log in with a mnemonic or your private keys. MetaMask is not supported, because it doesn’t allow us to connect to both networks at the same time. This is just a temporary solution, until we have finished the integration into the platform itself.

Try it out yourself!

The demo dAPP is deployed at https://cooing-rabbit.surge.sh/

Log in to your account with a mnemonic or your private keys. This demo is not running on the main net, so you probably don’t have fake DTX there; you can just try the demo mnemonic: ‘shock body city antique crystal alter theme stuff orient primary flash royal rigid scan owner’.

You can deposit tokens to the DataBroker DAO network or you can withdraw them back to the main network.

Depositing

Next, we wait until the tokens arrive at the bridge.

Once the bridge receives our tokens, validator nodes have to give permission to cross the bridge.

When enough validators have signed off on the request (only 1 during the demo phase), the bridge on the DataBroker DAO network mints tokens to your account. The transfer procedure is complete.

Withdrawing

The first 2 steps are equal to those when depositing.

The main network is ready to transfer the funds to your account, but this transaction costs gas on the main network. If your balance is too low, you can come back later to complete it.

The withdrawal was successful and your balance has been updated.

Bounty!

With such a crucial piece of our architecture and the fact that these contracts will hold lots of value, their security will be critical. That is why we have opened a bounty for any security issues via GitCoin.

The scope of this bounty is to look for bugs in the DataBroker DAO Smart Contracts. The following repositories apply:

1. https://github.com/DataBrokerDAO/dtx-crowdsale-contracts

2. https://github.com/DataBrokerDAO/databrokerdao-dapi (some contracts are inherited from a private repo, which is known and currently unavoidable)

3. https://github.com/DataBrokerDAO/erc20-bridge (modified versions have been merged into 1 and 2; this is the deployed version)

The applications can be found at:

1. The main net

2. Platform demo: https://dapp.databrokerdao.com

3. Bridge demo: https://cooing-rabbit.surge.sh (test mnemonic: shock body city antique crystal alter theme stuff orient primary flash royal rigid scan owner)

The severity is judged by the OWASP model:

Payouts will be as follows:

  • Critical: .2 ETH
  • High: .15 ETH
  • Medium: .05 ETH
  • Low: .02 ETH
  • Note: At the discretion of DataBrokerDAO team.

Payouts will be made to the first individuals who report bugs, and exploits will be ineligible for payouts if they have already been used on the deployed contracts.

Non-security critical severity issues (style issues, gas optimizations, storage optimizations etc.) are not eligible for this bounty.

Determinations of eligibility and all terms related to this award are at the sole and final discretion of the DataBroker DAO team.

Good Luck!

--

--

Roderik van der Veer
DataBrokerDAO

Founder & CTO at DataBrokerDAO and SettleMint. Passionate about innovation and the technology to do so.