OST Mainnet Bounty Challenge #1: Earn 400k+ OST Tokens For Reporting Security Vulnerabilities

OST
OST
Sep 12, 2018 · 5 min read

We want to ensure our partners can rely on OST blockchain technology to launch their own Branded Token and manage token economies. Therefore, the security of OST technology and all OST-powered crypto assets is a top priority. We are launching our first Mainnet bounty program with more than 400,000 OST available for eligible vulnerability reports.

This bounty challenges any participant to find a security vulnerability that allows him/her to transfer OST that is staked on Ethereum Mainnet to any unintended address. Additional bounties are available for eligible vulnerability submissions with a detailed step-by-step report on how to reproduce the challenge. We will evaluate each reported security issue and will award tokens based on the severity of each verified vulnerability.

Last week, we launched the first version of OST KIT on Mainnet — our developer toolkit for staking OST and minting Branded Tokens. 12 OST partners staked real OST and minted Branded Tokens on Mainnet: Unsplash, Gushcloud, Connectscale, Tribecoin, Traipse, LGBT Foundation (Hornet), Fainin, License.rocks, Radmule, Twilala, Touriocity, and Rlay.

We also created an economy “Bounty Coin” on OST KIT Mainnet Alpha 1 and staked 300,000 OST to mint approximately one million Bounty Coin on a utility chain.

We are looking for vulnerabilities in the areas listed under the bounty scope below.

Awards

  • 300,000 OST — Awarded to the contestant who can manage to transfer tokens from the Simple Stake Contract address to an unintended wallet.

Eligible Reports

  • A vulnerability that allows for the transfer of the staked OST on Ethereum Mainnet to an unintended address.

Bounty Scope

We would like to learn about security bugs and vulnerabilities in the following areas:

  1. OpenST Protocol 0.9.2 Smart Contracts and node.js packages including Mosaic Contracts and Tree Release AM1, OpenST AM1, OpenST Payments, and OST Price Oracle.

Out of Bounty Scope

Any domain or property of OST not listed in the targets section is out of scope including but not limited to OST websites (ost.com, view.ost.com, kit.ost.com) and OST KIT UI issues.

Prerequisites

You can find the Utility Chain Syncing script here.

Here is a list of the value chain contract addresses:

• Simple Stake for OST Prime: 0x5caaaee865f994bef3421507a278b42c5e26643a• Simple Stake for Bounty Coin: 0x5fBfEDE90ff3799F466A1997bA68B4fa18e82956• OpenSTValue: 0x62EDb11263cD775D549a9d9E38980014DBbFdeDD• Value Core Contract: 0xf8530666572C3CA966247Cc39C4f60bE37A5c168• Value Registrar: 0xD184c79481774A4c2Ea2DAD4d14F9C6396e17C65• Simple Token Contract Address: 0x2C4e8f2D746113d0696cE89B35F0d8bF88E0AEcA

Utility Chain Contract Addresses:

• OpenSTUtility Contract: 0x37D014adb3D52e132877F6Feca00b81e95544C8C• Utility Registrar Contract Address: 0xA46a92067322d8a060eeB13B2c184639D3C87816• Bounty Coin Branded Token Address: 0xbe5b185bb0fc7493a168da19f576e482b6444c19• Price Oracle Contract Address: 0x1e6e9EF185aD2f1dcAFA263f26DecA1FAC64603c• OST Prime Contract Address: 0x7Ae71fE9e16A0AEEA63933cf4EB88f6c24A9723B

Bounty Rules

  • No spam or distributed denial of service (DDOS) attacks.

Submission

Submit any eligible bug or vulnerability via bounty@ost.com. Contact support@ost.com with any questions. Please include the following in your submission:

  1. Summary: one or two line summary of the bug or vulnerability.

The OST Mainnet Bounty Challenge will end on Sunday September 30 2018 at 1pm UTC. Bounties will be issued in October 2018.


About OST

OST blockchain infrastructure empowers new economies for mainstream businesses and emerging DApps. OST leads development of the OpenST Protocol, a framework for tokenizing businesses. In September 2018 OST introduced the OpenST Mosaic Protocol for running meta-blockchains to scale Ethereum applications to billions of users. OST KIT is a full-stack suite of developer tools, APIs and SDKs for managing blockchain economies. OST Partners reach more than 200 million end-users. OST has offices in Berlin, New York, Hong Kong, and Pune. OST is backed by leading institutional equity investors including Tencent, Greycroft, Vectr Ventures, 500 Startups.

ostdotcom

Seamlessly integrate crypto micro-transactions into any…

OST

Written by

OST

Seamlessly integrate crypto micro-transactions into any app. http://ost.com & http://dev.ost.com launching @thepepoapp http://pepo.com autumn 2019

ostdotcom

ostdotcom

Seamlessly integrate crypto micro-transactions into any app. OST Platform is the first full-featured “no-code” blockchain platform — a set of unified dashboards, APIs, SDKs, and protocols that any business can use. Launching the Pepo app in autumn 2019 https://pepo.com/

OST

Written by

OST

Seamlessly integrate crypto micro-transactions into any app. http://ost.com & http://dev.ost.com launching @thepepoapp http://pepo.com autumn 2019

ostdotcom

ostdotcom

Seamlessly integrate crypto micro-transactions into any app. OST Platform is the first full-featured “no-code” blockchain platform — a set of unified dashboards, APIs, SDKs, and protocols that any business can use. Launching the Pepo app in autumn 2019 https://pepo.com/

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store