We have released the bug bounty version of Microraiden and deployed it on the Ethereum main net. An audit of the smart contracts is also about to be completed and details on it will follow shortly. As a complement to the security audit and because we take security seriously, we would like to outline a community bug bounty for the Microraiden code in this post.

Scope of the Bounty

Within scope is only the Microraiden smart contract and its library:

Not in scope is the Microraiden python code itself as well as the example Token.sol code in the repository.

Duration of the Bounty

There will be future releases and main net deployments of updated versions of Microraiden. The bug bounty is open ended in context of the respective latest release. We reserve the right to end the bug bounty at any time.

Bounty Rewards

Minor bugs which would cause a channel to behave in an unexpected harmful way, but don’t put any of the tokens deposited at risk will be rewarded with the equivalent of $5,000. For mission critical vulnerabilities that would allow non-trusted 3rd parties to steal tokens from a channel or lock them forever in a channel we will reward the equivalent of $50,000. All rewards are paid in RDN. Not eligible are newly discovered vulnerabilities which affect multiple smart contract systems and are not specific to the Microraiden implementation.

Submission Guidelines/Rules

Send your submissions via email to bounty@raiden.network.

Your email should contain as detailed a description of the bug as possible and any supporting documents (source examples) that are needed.

You should also include a single ETH address to which the reward should be sent if your bug submission is accepted.

Please keep in mind that any bugs or suggestions for improvements to the contract other than the ones causing harmful behaviours or loss of tokens are not eligible for the bug bounty.

Also note that any issues submitted should assume that both the Ethereum blockchain and the systems of the channel participants operate under normal conditions. There is a whole category of known problems which would appear if the Ethereum blockchain is not operating normally, for example, if it is under congestion/DDOS, or if the systems of the participants are under DDOS. These problems are not eligible for the bug bounty.

Make sure that you do not share your submission publicly until we have confirmed it to you, or else you will be disqualified (responsible disclosure).

Issues will be credited on a first come — first serve basis. Issues already known to us or issues already submitted by another user will not be eligible for rewards.

Issues can be submitted anonymously.

Employees, contractors or officers of brainbot labs Est. and its affiliates are not eligible for the bug bounty.

Responsible Disclosure

Don’t make the details of any vulnerability you find public until after we have confirmed it to you that it’s fine to do so.

Do not try to actively exploit any security issue you find.

Final Words

You can find more information about Microraiden at our website and in our github. To chat with us about development specific questions visit our gitter channel.

The Raiden project is led by brainbot labs Est.