Neutrino Bug Bounty Winners
We are pleased to announce the winners of the first round of bug bounty for the Neutrino Protocol Alpha.
On September 18th, 2019, the Neutrino development team launched a contest with the support of Waves Labs to study vulnerabilities in the logic of the Neutrino dApp. In addition, we have been evaluating independent reports on bugs and vulnerabilities submitted by Waves community enthusiasts.
Before the launch of the beta version of Neutrino dApp, we would like to mark the winners of the competition and describe the vulnerabilities and bugs that they discovered and the fixes we have implemented.
I. “Lucky trader” attack by Ilya Teterin & Artem Bodrych team (2000 USD-N, ~2000$)
Ilya and Artem have been active participants of the Waves community for a long time and are well versed in both the details of Waves blockchain implementation and RIDE, the programming language for smart contracts. However, the vulnerability that was found and pentested by them was in the architectural logic of the price feeding oracles of the Neutrino smart contract.
Description
Neutrino dApp allows a user to to buy or sell USD-N through a swap procedure on the smart contract where 1 USD : 1 USD-N in relation to the Waves token price.
This price on the smart contract is determined by regular voting of a collective of oracles (5 at the moment of alpha testing), feeding the price observed at external exchanges with high liquidity into the smart contract. The voting period itself encompasses several blocks.
The attack was carried out by monitoring the price from one of the primary price sources (exchanges) and, in case of a sharp deviation of the price from its previous value, the testers attempted to “guess” the price that would be expected on the smart contract. Knowing the future value of the price on the smart contract mixed with the possibility of doing instant swapping, allows to make opportune decisions about buying or selling via the contract.
The attack included repeating the procedure between November 5 and November 10. This “Lucky trader” vulnerability allowed to withdraw some Waves from the contract.
Solution
In such cases, the usual solution is to introduce a spread, which is usually included in stock exchange orders. However, such a solution would change the price on the smart contact and would violate the principle of keeping the ratio 1 USD: 1 USD-N to in relation to the price of Waves token.
Hence, the solution is that the Waves -> USD-N swap scheme now consists of 2 steps: 1 — request for withdrawal and blocking of incoming funds, 2 — possibility to withdraw USD-N after the request has been executed. The same scenario was implemented for USD-N -> Waves swap. Thus, allowing exchange after several blocks is a safe solution for the “Lucky trader” attack.
II. Nest (200 USD-N, 200$) — the most bugs found in Neutrino dApp UI during alpha testing
Nest (@Tparpal) is arguably the most active member of the Waves community and the creator of the WavesTrading chat. During the alpha testing, Nest helped to find and parse multiple issues related to User Interface and UI — Blockchain integrations.
In summary, the Neutrino team received a great deal of useful comments and feedback from the community, and we’d like to thank you all for your participation!
If you want to find out more about how Neutrino works, check out our latest FAQ article: https://medium.com/@neutrinoteam/neutrino-protocol-faq-bf19c79eb354
