Basket Protocol: Hosho Security Audit + 🐞Bug Bounty Program

Carlo P. Las Marias
Hummingbot Blog
Published in
4 min readJul 25, 2018

Security is of paramount importance in the blockchain world. Millions of dollars of value residing in open-source, immutable smart contracts accessible to anyone in the world can be a recipe for disaster. Past smart contract vulnerabilities have led to events such as the DAO $50 million hack and the Parity $160 million loss.

At CoinAlpha, we take seriously the responsibility of securing our contracts and protecting the users of our protocols. While we have implemented rigorous testing and undergone security audits for our Basket Protocol, we recognize that issues may still arise, so we are announcing a bug bounty program to leverage and incentive the efforts of our community.

Basket Protocol

CoinAlpha, Inc. has developed and open-sourced its Basket Protocol which enables decentralized, non-custodial asset management. We have deployed a version of this protocol onto the Ropsten Ethereum test network, on top of which we have created the decentralized application CryptoBaskets.

Development Practices for Security

In developing the protocol, we aimed to follow Ethereum development best practices, building off of industry standards such as OpenZeppelin’s smart contracts framework and following ConsenSys’ Smart Contract Best Practices. Some of the training and certifications completed by members of our team include the ConsenSys Academy Developer Program and B9lab’s Ethereum QA Engineer Course.

One of our company’s core values is emphasizing the importance of testing. We have tested the basket protocol code thoroughly, currently achieving 97% test coverage. Our protocol currently includes 1675 lines of code written for testing (protocol tests).

Third-Party Security Audit by Hosho

In June 2018, we engaged Hosho, a global leader in Blockchain Security, to complete a security audit. Items covered include:

  1. Appropriate and effective implementation of ERC-20 Token standards;
  2. Documentation and code comments match logic and behavior;
  3. Distributes tokens in a manner that matches calculations;
  4. Follows best practices in efficient use of gas, without unnecessary waste;
  5. Uses methods safe from reentrance attacks; and
  6. Is not affected by the latest vulnerabilities.

Our code successfully passed with only minor optimizations. You can find the full report here: Hosho Security Audit Report.

Basket Protocol Bug Bounty Program

Despite all the precautions and efforts we make to secure our protocol, we recognize that security is always an ongoing risk.

While we continually monitor the latest developments relating to security and industry best practices, we hope to work with the community to help make the Ethereum ecosystem safer by collaborating on security and coding best practices. To that end, we are launching the Basket Protocol Bug Bounty program.

Scope of the Bug Bounty

CoinAlpha’s Basket Protocol @ https://github.com/coinalpha/basket-protocol, all contracts named Basket__.sol.

Bounty Evaluation

CoinAlpha will use OWASP’s Impact and Likelihood risk framework to help in evaluating bounties.

Bounty Rewards

Accepted bounties are awarded based on the following guidelines:

  • Critical: up to $10k
  • High: up to $5k
  • Medium: up to $2.5k
  • Low: up to $1k

All bounties and awards will be subject to the sole discretion of the CoinAlpha team. The quality and completeness of your report will be factored into determining the reward amount.

Bounty Rules and Guidelines

  • Bounties are awarded on a first-report basis.
  • Take responsibility and act with extreme care and caution.
  • Do not use vulnerabilities you discover for purposes other than your own investigation.
  • Do not publicize or disclose to any third parties any details of vulnerabilities until after confirmation and approval from the CoinAlpha team.
  • Do not use social engineering to gain access to a system.
  • Non-security issues are not eligible.
  • Evaluations of eligibility, severity, and all terms related to a bounty and award are at the sole and final discretion of the CoinAlpha team.

Submission Guidelines

  • Submit reports to: security@coinalpha.com.
  • Please include detailed descriptions of the vulnerability or security issue, steps to reproduction, supporting artifacts, and suggested fixes (if any).
  • Your privacy: we will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission.

Evaluation Procedure

The CoinAlpha team will investigate your report and will contact you to discuss the weakness, how you found it, and any follow-up action.

Program Updates

  • July 30, 2018: First reward paid! A reader and blockchain developer looked into our protocol in detail and provided us with some code optimizations. While the multiple points raised were not security issues, we appreciate the detailed review and comments

--

--

Carlo P. Las Marias
Hummingbot Blog

Quant Finance 2.0 for Digital Assets | Co-Founder/Board Member of CoinAlpha | Ex TradFi (GS/DB/UBS/CSFB) | Wharton/Penn Engineering | Calisthenics 🤸🏻‍♂️