Bug and Optimization Bounty for Smart Contracts

Daniel Wang
Oct 26, 2017 · 3 min read
Image for post
Image for post

Today we are publishing our smart contracts for public review. We call on our community and all bug bounty hunters to help us identify bugs in the Loopring protocol and to provide optimization solutions.

Loopring Protocol Smart Contracts

The Loopring project is a protocol for decentralized token exchange. Our first set of smart contracts have been developed for the Ethereum blockchain. This set of smart contracts include the following files:

  • LoopringProtocol.sol: An interface for describing the protocol’s functionality.
  • LoopringProtocolImpl.sol: The protocol implementation that encapsulates most of the core logic. This file demands a great deal of reviews and auditing.
  • RinghashRegistry.sol: This smart contract keeps track of ring-hash submissions to prevent ring filch.
  • TokenRegistry.sol: This smart contract whitelists ERC20 tokens supported by Loopring protocol. Loopring will only support tokens with verified source code.
  • TokenTransferDelegate.sol: A smart contract to transfer tokens on behalf of different versions of the Loopring protocol meant to avoid re-authorization after a protocol upgrade/migration.

Bug Bounty

The above 5 smart contracts are subject to our bounty programs.

We learned from the Ethereum and AirSwap teams and decided to employ OWASP for rating identified bugs based on their likelihood and impact.

Image for post
Image for post

The bug bounty reward is scheduled as follows:

  • Critical: 150-200K LRC
  • High: 50-100K LRC
  • Medium: 20-40K LRC
  • Low: 5-10K LRC

Typos and English grammar errors in source code and comments do not qualify for a bounty.

[UPDATE]: the above bounty reward rules have expired.

Optimization Bounty

For a ring of 2 orders, our protocol currently consumes 415301 gas in total; for a ring of 3 orders, it consumes 511465 gas. The gas usage breakdown is as follows:

Image for post
Image for post
Image for post
Image for post

The current ETH price is around 300USD (or 2000RMB), if the ring-miner uses 21Gwei as the gas price, each order’s cost base would be about 1.1 to 1.3 USD or 7.1 to 8.6RMB.

We believe there is room for improvement that can reduce gas usage. We will explore a light-mode for the submitRing method, which will not check order balance/allowance nor scale down orders dynamically. This will reduce gas usage greatly but also increase miner’s transaction failure rate. This direction of optimizing the contract is planned thus is not qualified for the bounty program.

The optimization bounty payout is as simple as:

  • Every 1% gas reduction: 25K LRC.

[UPDATE]: The base for percentage calculation will ALWAYS be 511465!!!

[UPDATE]: the above bounty reward rules have expired.

Rules

Please review the following rules below before starting your hunt:

  • Issues/optimizations that have already been submitted by another user or are already known to the foundation are not eligible for bounty rewards.
  • Public disclosure of a vulnerability makes it ineligible for a bounty.
  • Loopring Foundation and the core development team are not eligible for rewards.
  • Loopring foundation is at the sole and final discretion of these bounty programs.

Please take a close look at our contracts at https://github.com/loopring/protocol and submit issues and optimizations for review to bounty@loopring.org. We will collect submissions in these two files: bug_submissions.md and optimization_submissions.md, respectively.

Thank you.

Follow us on social media: Twitter | Slack

Loopring Protocol

Loopring Official Blog

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store