The Ethereum Name Service Bug Bounty is Live
The Ethereum Name Service (ENS) is now included in the Ethereum Bug Bounty Program. This post explains how to participate in it.
The team is hard at work on the Ethereum Name Service (ENS) relaunch. One issue identified after the first launch attempt was the lack of a formal bug bounty. We’re happy to announce that as of April 7, 2017 ENS is now included in the Ethereum Bug Bounty Program.
ETHEREUM Bounty Program
The Ethereum Bounty Program provides bounties for bugs. We call on our community and all bug bounty hunters to help identify bugs in the protocols and clients. Earn rewards for finding a vulnerability and get a place on our leaderboard. See Rules & Rewards section for details.
The ENS Security Bug Bounty Category
ENS security is now a category of the overall Ethereum Bug Bounty. From the Ethereum Bounty Program site —
This category includes:
-Flaws making it possible to gain unauthorized access to, or prevent the authorized withdrawal of, funds locked in Deeds.
-Flaws making it possible to interfere with, or make modifications to, an ENS-domain belonging to another user.
-Flaws in the auction that affect the legitimacy of auction results.
ENS Security Bug Example
Nick Johnson, a member of the ENS team, wrote a post describing an ENS security bug example. It was discovered during the first launch attempt.
The auction registrar was designed with two distinct phases for each auction: bidding, and reveal. If users can bid during the reveal phase, they can wait until they know what their opponents bid, and either outbid them, do nothing, or underbid them by a small amount to force them to pay the maximum. To prevent this, the auction registrar was designed to prohibit bids during the reveal phase of the auction.
A refactor accidentally removed that check, and while we have many unit tests, this edge case was not amongst them. We’ve since written more unit tests to cover this and other issues to prevent any recurrence of problems like this one.
The bug would have allowed people to bid during the reveal period, thus affecting the legitimacy of auction results.
Bug Bounty Payout Amounts
The ENS Bug Bounty follows the Ethereum Bug Bounty Program Rules and Rewards (scroll about 25% down that page) -
Reward sizes are guided by the rules below, but are in the end, determined at the sole discretion of the Ethereum Foundation bug bounty panel.
Critical: up to 25 000 points
High: up to 15 000 points
Medium: up to 10 000 points
Low: up to 2 000 points
Note: up to 500 points
1 point currently corresponds to 1 USD (payable in ETH or BTC), something which may change without prior notice.
Beyond monetary rewards, every bounty is also eligible for listing on our leaderboard with points accumulating over the course of the program.
In addition to Severity, other variables are also considered when the Ethereum Foundation bug bounty panel decides the score, including (but not limited to):
Quality of description. Higher rewards are paid for clear, well-written submissions.
Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward. Please see the wiki and repos to learn more about our test suite: Example test and wiki.
Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.
Conclusion and Additional Resources
We look forward to the community’s participation in the ENS Bug Bounty.
You can find -
- The ENS code here
- More information about the bug bounty on the official Ethereum Bug Bounty Program site
Let us know in the ENS Gitter Channel.