Smart Contracts and Bug Bounty
Today we are publishing two Ethereum smart contracts for public review.
The AirSwap exchange contract facilitates atomic swaps of ERC20 tokens between two Ethereum addresses. The contract is considered the “on-chain” part of the protocol, and everything prior is the “off-chain” work done between peers. Two independent audits have been completed by Phil Daian and Nick Johnson that will soon be available in the GitHub repository.
The exchange contract takes advantage of the ERC20 standard to transfer token balances between counterparties. After approving the contract to transfer his or her balances, a trader submits a signed order by calling a function “fill”. This function then calls “transfer” on each respective token to complete the trade.
The token contract is based on ERC20, but includes some special features. First, token holders may lock a balance of tokens for a set amount of time. This allows off-chain services to detect these locks and provide additional utility to users who have locked. All token transfers are locked until October 17, 2017 at 10:10:10 AM ET. The token contract is also “pausable”, which means that we can pause transfers in case of a major security vulnerability.
Because transfers are locked and the sale is being done through the exchange contract, the token contract is constructed with an initial balance for the sale wallet. During the sale, the sale wallet signs orders and buyers fill them on the exchange contract.
We will run a bug bounty indefinitely to reward community members for discovering and reporting bugs. The scope of the bounty will be limited to Exchange.sol and AirSwapToken.sol and the contracts they inherit from.
The value of rewards will vary depending on severity as judged by the AirSwap team. The severity of a bug is determined according to the OWASP risk rating model based on Impact and Likelihood, as employed in the Ethereum bug bounty campaign:
Bounty payout is as follows:
- Low: Up to 5 ETH
- Medium: Up to 20 ETH
- High: Up to 50 ETH
- Critical: Up to 100 ETH
A few friendly rules:
- Bounties go to the first to report.
- Don’t steal or attempt to steal others funds.
- Don’t publicly disclose a bug before it has been fixed.
- Paid auditors of this code are not eligible for rewards.
- Issues that are mentioned in the security audits are not eligible.
- Non-security critical issues (style issues, gas optimizations) are not eligible.
- Determinations of eligibility, score and all terms related to an award are at the sole and final discretion of the AirSwap team.