Wyvern DAO / Token Bug Bounty ($5K)

Summary

The Project Wyvern ERC20 token port will take place in just a few days. Before we deploy the Wyvern ERC20 token and Wyvern DAO smart contracts to the Ethereum blockchain, we’d like to open up bug hunting to the community. An independent audit has already been conducted — but maybe you’ll catch something no one else has yet, and we’ll pay handsomely if you do, up to $5000 USD worth of Ethereum!

Project Overview

The Wyvern Exchange is an upcoming decentralized digital item exchange, where you’ll be able to trade any digital asset representable on the Ethereum blockchain: CryptoKitties, ERC20 and ERC721 tokens, even (ownable) smart contracts themselves. The Wyvern Exchange will be governed by the Wyvern DAO: a decentralized autonomous organization, controlled by WYV tokenholders, charged with day-to-day administration of the Exchange and long-term development of the protocol. To learn more about the project, check out the whitepaper.

We’re deploying the Exchange in two stages. This bounty program is just for the first stage: the conversion of the existing Wyvern blockchain ledger to an ERC20 token, and the deployment of the Wyvern DAO. The Exchange itself will be released in beta in a few weeks and will have a separate bounty program at that time.

Audit Scope

All relevant smart contracts are in the wyvern-ethereum Git repository. Any issues present in Git commit d7e3bb are valid submissions. The following contracts are within the scope of this bounty:

• contracts/WyvernDAO.sol
• contracts/WyvernToken.sol
• contracts/token/UTXORedeemableToken.sol
• contracts/token/DelayedReleaseToken.sol
• contracts/dao/DelegatedShareholderAssociation.sol
• contracts/common/TokenReceipient.sol
• Any transitive dependencies of the aforementioned contracts, including zeppelin-solidity contracts (the only external dependency).

All other smart contracts (in particular, smart contracts relating to the Exchange, which are still under development) are not within the scope of this audit.

Bug Submission & Rewards

Bugs should be reported as issues to the wyvern-ethereum Git repository. Please make it clear that your issue is a submission to this bounty program. Bug submissions are subject to the following rules:

• This bounty program will run from the publication of this post to Sunday, January 7th 2018 at 06:00 UTC. No submissions after that date will be accepted.
• Duplicate submissions are not allowed; only the first submission will be paid.
• The Project Wyvern website or DApps are not part of this bounty program.
• Project Wyvern team members and anyone employed as a contractor by Project Wyvern in the past are ineligible for bug bounty submissions.

The value of the reward paid out will depend on severity, calculated according to the OWASP guidelines:

Rewards are denominated in USD and will be paid in Ether using the ETHUSD exchange rate at time of payment:

• Critical: Up to $5000
• High: Up to $1000
• Medium: Up to $500
• Low: Up to $100
• Note: Up to $50

Examples of risk severity:

• Critical: Redeem fake UTXOs, control DAO transaction execution without holding a majority of shares.
• High: Prevent DAO from executing a proposal with a cheap-to-execute spam attack, UTXO redemption replay attack.
• Medium: Inability to redeem valid UTXO.
• Low / Note: Inconsistent documentation that could lead to user confusion.

Exact reward amounts are solely at the discretion of the Project Wyvern team; however:

• We promise to respond within 24 hours to all bug submissions.
• We promise to let you know whether your submission qualifies for a bounty or not within 24 hours of bug finalization (when you’ve answered any questions we had about the submission).
• We promise to pay out all rewards within 72 hours of bug confirmation.

Happy hunting!

— The Project Wyvern Team