Ways to Hunt on the $500,000 Shardeum Core Boost

Where do you even start hunting on large codebases, like in the Shardeum Core Boost?

If you’re feeling overwhelmed, you’re not alone. It’s not unusual for security researchers to feel daunted by the challenge ahead when hunting in a large-scale Boost like this one. After all, in only six short weeks, this is a lot of code to review. A large amount of code due to a larger attack surface may contain more bugs.

The next question, therefore, is “Where is the best ROI for my time in this Boost?” Understanding the best use of your time in a competition like this will not only prove profitable, but will also help optimize your hunt and increase your chances of success.

In this article, we provide a breakdown of the Shardeum codebase to help you understand where to get started based on your specific skills and interests.

Let’s get started.

Shardeum Breakdown

Here’s a breakdown of the Shardeum codebase, including what’s in scope, and what’s not, for this Boost:

• lib-types. (TypeScript 1229 SLOC). All Shardeum subprojects are written in JavaScript with types also known as TypeScript. In order to keep the code consistent and easy to maintain, all types have been put into this js library. Even though it is not directly included in the scope, rest assured that a bug found in the data types can break any Shardeum project.
• lib-net. (Rust 1664 SLOC. TypeScript 1078 SLOC). A trivial network protocol was developed for nodes to communicate with each other within the network. The only component developed using Rust. It is a request-response protocol working on top of TCP and sending JSON packets. A bug found in this module can lead to network disruption.
• lib-crypto-utils. (TypeScript 863 SLOC). Cryptographic functions like hashing, signing, key generation, and encryption are bundled in this package to provide developers with a simplified interface to the necessary tools. Under the hood, libsodium is used.
• archive-server. (TypeScript 14474 SLOC). Archive nodes store the complete state and history of the network. Consensus clients (shardus-core) store only partitioned state data. Archive node subscribes to the data stream from multiple consensors and aggregates it into a single storage. The network architecture is documented in more detail in the archive-server GitHub repository.
• Archiver server is also responsible for maintaining a list of current network participants so that nodes know who to connect to. Peers discovery protocol is implemented in a separate JavaScript package called archiver-discovery (378 SLOC).
• shardus-core.(TypeScript 55386 SLOC). Shardus is a platform that provides network architecture, storage and other related tools for building applications on its base. A unique feature of the platform is the data sharding technology. Note that the code responsible for consensus mechanisms is outside the scope of the current bug bounty program
• Shardeum (TypeScript 24140 SLOC) is a specific example of an application based on Shardus. This is a good old blockchain with Ethereum Virtual Machine to execute smart contracts. Unlike go-ethereum, in Shardeum EVM is implemented in TypeScript
• Json-rpc-server. (TypeScript 7945 SLOC). By default, Shardeum node does not provide an RPC interface for interaction with wallets and other applications. Separate application has been developed to add EVM JSON-RPC API compliance to the node. In addition, json-rpc-server has debug endpoints not found in the usual go-ethereum rpc server.
• relayer-distributor (TypeScript 2884 SLOC) and relayer-collector (TypeScript 9308 SLOC) are created to transmit and collect metadata in order to keep the network running.
• And at the top level of the ecosystem are end-user applications that allow you to manage nodes and read data in a human-friendly way: validator-cli (TypeScript 1871 SLOC), validator-gui (TypeScript 3042 SLOC) and explorer-server (TypeScript 15171 SLOC).

Shardeum Boost: Where’s Your Best ROI?

Considering the information above, there are likely parts that you’re not able to hunt on. Maybe they’re too much of a commitment, or require learning tech you’re simply not interested in. Cross those off your list. Your best ROI will come from focusing on the part(s) most suited to you. Your best ROI is where your skill, interest, and time available meet.

So where should you focus?

If you have less than a week full-time to spend:

Ask yourself the following:

Are you proficient in JavaScript or TypeScript?

Focus on lib-types. Bugs in the data types can have a cascading effect on the entire Shardeum ecosystem, potentially disrupting any project within it.

Do you have experience with network protocols?

Focus on lib-net. A bug in this module can cause significant network disruption due to its critical role in node communication.

If you have a week or more:

Ask yourself the following:

Interested in cryptographic functions?

Focus on lib-crypto-utils. Given its role in hashing, signing, key generation, and encryption, a bug here could compromise the entire network’s security.

Have experience with data storage and network architecture?

Focus on archive-server. This module aggregates data from multiple consensus clients and is responsible for maintaining network participants, making it crucial for network stability.

Ultimately, the best strategy is to focus on the areas you are most interested in. This will increase your likelihood of discovering critical vulnerabilities — and earning big rewards in return.

Armed with this breakdown, where will you focus your efforts in Shardeum Boosts? Head over to the Shardeum Core Boost page on Immunefi and get hunting!