Raiden Alderaan Release Bug Bounty

Published in

Raiden Network Blog

6 min readJun 5, 2020

The Raiden Alderaan release is a beta deployment of the Raiden Network focused on testing a full suite version on the Ethereum mainnet. The Raiden team has undertaken several risk mitigation measures to limit the potential damage caused by bugs or misuse of the software and to ensure a responsible testing environment. In addition to the implemented safety measures, a bug bounty is run for the Raiden Smart Contracts, as well as the Raiden Client and the Raiden Services executables (see detailed specifications below). The bug bounty is hosted by brainbot labs Est. in order to make sure that the software lives up to the highest standards possible and to make sure that the risk of users losing funds is at a minimum. For the bug bounty, a pool worth $200,000 in RDN tokens is available to be rewarded.

Scope of the Bounty

All direct Raiden system components (Raiden Smart Contracts, Raiden Client, Pathfinding and Monitoring Service) are in scope. As the Raiden Transport Layer (Matrix Servers) is a 3rd party component it is excluded from the bounty. The scope of the bounty is limited to critical vulnerabilities as defined below.

Raiden System Components in Scope

The following components of the Raiden Network are in the scope:

Smart contracts

Client executable — only the most recent executable released by the Raiden team starting with 1.0.0 is in scope.

Pathfinding Service code — only the most recent executable released by the Raiden team starting with version v0.10.0 is in scope.

Monitoring Service code — only the most recent executable released by the Raiden team starting with version v0.10.0 is in scope.

The specific versions might be subject to change in case a new version of either of above is released as a result of a bug being fixed.

Vulnerabilities eligible for rewards within the bug bounty

Only critical vulnerabilities as defined below are in the scope of the bug bounty/eligible for rewards:

Vulnerability Definitions

Tier 1 vulnerability: A Tier 1 vulnerability is defined as any flaw in the protocol that can lead to the loss of user funds. This either being through funds being locked irrecoverably or funds being stolen by third parties.
Tier 2 vulnerability: A Tier 2 vulnerability is defined as any flaw in the protocol that can lead to user funds being unrecoverable through the Raiden API and hence needing specific manual smart contract interactions to recover funds.

Relevant Tokens

As mentioned in the definitions of Tier 1 and Tier 2 vulnerabilities, only vulnerabilities related to WETH and DAI will be considered as relevant for the bug bounty.

Additional Requirements

brainbot labs must be able to reproduce the vulnerability
Reported vulnerability should be on the most recent Alderaan Release tag starting with release 1.0.0

Explicitly not in scope / not eligible are:

Any code that differs from the code released by brainbot labs Est. as part of the Alderaan release. This includes the Raiden client python source code, the pathfinding source code, the monitoring service source code and all the corresponding smart contracts.
Known issues that are already in the Raiden issue tracker or have already been reported via the bug bounty program.
Vulnerabilities which affect multiple smart contract systems and are not specific to the Raiden implementation, e.g. vulnerabilities eligible for the Ethereum bug bounty.
Vulnerabilities that appear only after extreme network conditions (e.g. deep reorgs, cannot record transactions for more than 2 hours).

Duration of the Bounty

The bug bounty will run until either the entire pool worth $200,000 has been depleted or reported bugs or other critical events have led to a deprecation of the deployed version of Raiden for which the bug bounty is valid.

The community will be informed when the bug bounty ends. Communications addressing found and reported bugs will also be published once the relevant fixes are in place and potential security risks have been mitigated.

brainbot labs Est. reserves the right to end the bug bounty at any time.

Bounty Rewards

As stated above, there is a pool worth a total of $200,000 in RDN tokens to be paid out as rewards for either of the two types of vulnerabilities listed:

Tier 1 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $20,000.
Tier 2 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $5,000.

To calculate the bounty reward in RDN, the exchange rates are taken on the day on which the reward is paid out. brainbot labs Est. reserves the right to alter the exchange rate in case of extreme/abnormal trading conditions.

Intended Behavior

For the intended behavior of the Raiden client and protocol please check out the following links.

Submissions

Please send submissions via email to [bounty (at) raiden (dot) network]. The email should contain:

A detailed description of the bug and any supporting documents (source examples) that are needed to reproduce the bug
Title of the vulnerability
Description of vulnerability
Proof-of-concept / Reproduction manual
Criticality assessment
Tools and versions used
Attachments (screenshots or video)
Suggested fixes / solutions
Email address (in order to contact you in case your vulnerability submission is accepted)
A single ETH address to which the potential reward should be sent if the vulnerability submission is accepted.

Additionally, please state whether you would like to be named in the post-bug bounty report and “bugs found”-board on the website and if yes under what name.

You can read more about how to write a well structured vulnerability report here.

Payouts of bug bounty rewards

In order to comply with local AML regulations, we are required to obtain some information about you prior to paying out any reward.

Submission Rules

Please keep in mind that any bugs or suggestions for improvements to the executables other than the ones causing harmful behavior or loss or theft of tokens as outlined above are not eligible for the bug bounty.
All issues submitted should assume that all the requirements for safe usage of Raiden as outlined here are met. There is a whole category of known problems which would appear if the Ethereum blockchain would not operate normally, for example, if it is under congestion/DDOS, or if the systems of the participants are under DDOS. These problems are not eligible for the bug bounty.
Reports will not be credited on a first come, first serve basis. We prefer reproducible bugs before first submissions.
Employees, contractors or officers of brainbot labs Est. and its affiliates are not eligible for the bug bounty.
We consider a number of variables in determining rewards. Determinations of eligibility, vulnerability level recognition, and all terms related to an award are at the sole and final discretion of brainbot labs Est.

Responsible Disclosure

Please don’t make the details of any vulnerability you find public until we have confirmed that it is all right to do so.
Do not try to actively exploit any security issue you detect.

To chat with us about development specific questions visit our gitter channel.

Make sure to stay up to date by following us on Twitter and Medium and joining the conversations on Reddit and Gitter!

The Raiden project is led by brainbot labs Est.

Disclaimer: Please note, that even though we do our best to ensure the quality and accuracy of the information provided, this publication may contain views and opinions, errors and omissions for which the content creator(s) and any represented organization cannot be held liable.

The wording and concepts regarding financial terminology (e.g. “payments”, “checks”, “currency”, “transfer” [of value]) are exclusively used in an exemplary way to describe technological principles and do not necessarily conform to the real world or legal equivalents of these terms and concepts.