OST Mainnet Bounty Challenge #1: Earn 400k+ OST Tokens For Reporting Security Vulnerabilities

We want to ensure our partners can rely on OST blockchain technology to launch their own Branded Token and manage token economies. Therefore, the security of OST technology and all OST-powered crypto assets is a top priority. We are launching our first Mainnet bounty program with more than 400,000 OST available for eligible vulnerability reports.

This bounty challenges any participant to find a security vulnerability that allows him/her to transfer OST that is staked on Ethereum Mainnet to any unintended address. Additional bounties are available for eligible vulnerability submissions with a detailed step-by-step report on how to reproduce the challenge. We will evaluate each reported security issue and will award tokens based on the severity of each verified vulnerability.

Last week, we launched the first version of OST KIT on Mainnet — our developer toolkit for staking OST and minting Branded Tokens. 12 OST partners staked real OST and minted Branded Tokens on Mainnet: Unsplash, Gushcloud, Connectscale, Tribecoin, Traipse, LGBT Foundation (Hornet), Fainin, License.rocks, Radmule, Twilala, Touriocity, and Rlay.

We also created an economy “Bounty Coin” on OST KIT Mainnet Alpha 1 and staked 300,000 OST to mint approximately one million Bounty Coin on a utility chain.

We are looking for vulnerabilities in the areas listed under the bounty scope below.

Awards

  • 300,000 OST — Awarded to the contestant who can manage to transfer tokens from the Simple Stake Contract address to an unintended wallet.
  • 100,000 OST — Awarded for reporting the vulnerability (described above) with a detailed description and step-by-step process for reproducing the challenge.
  • 10,000+ OST — Awarded to eligible bug and vulnerabilities submissions. There are no limits to the number of rewards and individuals can earn multiple rewards by submitting qualifying bugs and vulnerabilities.

Eligible Reports

  • A vulnerability that allows for the transfer of the staked OST on Ethereum Mainnet to an unintended address.
  • A vulnerability that allows users to transfer Bounty Coins placed in the OST KIT Mainnet Alpha 1 account to an unintended address.
  • A vulnerability which can be exploited to bring down or take control of the OST KIT user’s account without direct access to the machine. Extensive DDOS attacks excluded.
  • A vulnerability that would result in any of the services (KIT, API, VIEW) being unusable for users. Extensive DDOS attacks excluded.
  • A vulnerability that compromises the contract behavior and allows unintended transfer of tokens.
  • A vulnerability that compromises private keys of addresses managed by OST KIT.
  • A vulnerability relating to technology built by OST over OpenST Protocol 0.9.2
  • Any vulnerability that compromises the data APIs of OST VIEW
  • A vulnerability that allows users to obtain access to other user’s API Keys.

Bounty Scope

We would like to learn about security bugs and vulnerabilities in the following areas:

  1. OpenST Protocol 0.9.2 Smart Contracts and node.js packages including Mosaic Contracts and Tree Release AM1, OpenST AM1, OpenST Payments, and OST Price Oracle.
  2. OST KIT including Mainnet KIT
  3. OST API including Mainnet API v1.1 and Mainnet Dev
  4. OST VIEW including Mainnet View and OpenST Explorer

Out of Bounty Scope

Any domain or property of OST not listed in the targets section is out of scope including but not limited to OST websites (ost.com, view.ost.com, kit.ost.com) and OST KIT UI issues.

Prerequisites

You can find the Utility Chain Syncing script here.

Here is a list of the value chain contract addresses:

• Simple Stake for OST Prime: 0x5caaaee865f994bef3421507a278b42c5e26643a
• Simple Stake for Bounty Coin: 0x5fBfEDE90ff3799F466A1997bA68B4fa18e82956
• OpenSTValue: 0x62EDb11263cD775D549a9d9E38980014DBbFdeDD
• Value Core Contract: 0xf8530666572C3CA966247Cc39C4f60bE37A5c168
• Value Registrar: 0xD184c79481774A4c2Ea2DAD4d14F9C6396e17C65
• Simple Token Contract Address: 0x2C4e8f2D746113d0696cE89B35F0d8bF88E0AEcA

Utility Chain Contract Addresses:

• OpenSTUtility Contract: 0x37D014adb3D52e132877F6Feca00b81e95544C8C
• Utility Registrar Contract Address: 0xA46a92067322d8a060eeB13B2c184639D3C87816
• Bounty Coin Branded Token Address: 0xbe5b185bb0fc7493a168da19f576e482b6444c19
• Price Oracle Contract Address: 0x1e6e9EF185aD2f1dcAFA263f26DecA1FAC64603c
• OST Prime Contract Address: 0x7Ae71fE9e16A0AEEA63933cf4EB88f6c24A9723B

Bounty Rules

  • No spam or distributed denial of service (DDOS) attacks.
  • No violations of the privacy of other users or destruction of data.
  • No disclosing of vulnerabilities to the public. Participants must report vulnerabilities to OST only, as described in this post. Participants must allow for a reasonable response time from OST.
  • Vulnerabilities which have already been submitted or are already known to OST are not eligible. Once the OST team has confirmed the presence of the vulnerability and is prepared to publish information to help mitigate the risk, we will list the vulnerability submissions here.
  • Any employees of OST is not eligible to participate.
  • Any party (including but not limited to an individual, employee, consultant or company) working directly or indirectly on behalf of/for OST is not eligible to participate in the OST Mainnet Bounty Challenge.
  • Anyone engaged to review or audit OST code in exchange for remuneration is not eligible to participate.
  • OST may cancel this program at any point in time at its sole discretion.
  • Awards are at the discretion of the OST team.
  • Each bug or vulnerability will be considered for an award only once.
  • Rewards are not available to users from countries subject to OFAC sanctions.

Submission

Submit any eligible bug or vulnerability via bounty@ost.com. Contact support@ost.com with any questions. Please include the following in your submission:

  1. Summary: one or two line summary of the bug or vulnerability.
  2. Description: Describe the scenario. What were you trying to do? What is the possible impact? OST will be awarded to clear, well-written submissions that can help us quickly reproduce the vulnerability.
  3. Product: OST KIT / OST API / OST VIEW / OpenST Protocol 0.9.2
  4. Affected Files: If you found the bug or vulnerability in the open source code, please share the affected files.
  5. Detailed steps to reproduce: Please include snippets of logs, test code, scripts and detailed instructions on how to reproduce the vulnerability. How would we reproduce the bug or vulnerability faster?
  6. Fix: Please suggest a solution for the vulnerability.

The OST Mainnet Bounty Challenge will end on Sunday September 30 2018 at 1pm UTC. Bounties will be issued in October 2018.


About OST

OST blockchain infrastructure empowers new economies for mainstream businesses and emerging DApps. OST leads development of the OpenST Protocol, a framework for tokenizing businesses. In September 2018 OST introduced the OpenST Mosaic Protocol for running meta-blockchains to scale Ethereum applications to billions of users. OST KIT is a full-stack suite of developer tools, APIs and SDKs for managing blockchain economies. OST Partners reach more than 200 million end-users. OST has offices in Berlin, New York, Hong Kong, and Pune. OST is backed by leading institutional equity investors including Tencent, Greycroft, Vectr Ventures, 500 Startups.