Update: The bug bounty is officially closed now. If you find any security issues on any of our services, email disclosures@codexprotocol.com with a full disclosure report to be eligible to receive a reward. Special thanks to Daniel Stutman for being active in the bug bounty.

As I mentioned in my previous post, alongside the simpler quests, we are launching a bug bounty program for the smart contracts that make up Codex Protocol.

The smart contracts have had an initial pass by Hosho, one of the top smart contract auditing firms in the blockchain space, but with the Mainnet launch just around the corner, we’d love for the community to get involved and help find any remaining vulnerabilities!

Any critical issues found will be rewarded up to USD 1,000 (paid in ETH) per issue.

The program officially starts June 27th at 12:01 am CST and ends July 22nd at 11:59pm CST.

The full details of the program are outlined in the bug bounty repo here: github.com/codex-protocol/bounty.codex-registry, along with all of the eligible source code. Any issues described in Hosho’s initial summary report are not eligible for rewards — but anything else is fair game.

Deployed contracts

The smart contracts are deployed in the Rinkeby test network. Below are the addresses of them on Etherscan with verified source code. As noted below in the FAQ, the deployed contracts won’t change at any point during the program, but the code eligible for bounty will. This means that the code verified on Rinkeby will likely be out of sync with the code in the GitHub repository.

Use the deployed contracts only as a starting place — the code in the repo is set up for easy local deployment via Truffle so that you can break things locally to your heart’s content.

If you find a critical bug that would compromise the integrity of the deployed contracts we kindly ask that you refrain from exploiting it to avoid disrupting other users who are providing feedback on our Codex Viewer dapp.

CodexRecordProxy: https://rinkeby.etherscan.io/address/0x034b42734234ef65e2032c0e6c80348e1ca1d40a

CodexRecord:

https://rinkeby.etherscan.io/address/0x757e39484e81b2c80cbf8cff70724103f35fbdf7

CodexStakeContainer:

https://rinkeby.etherscan.io/address/0x8fa7c01220396a205181d289ea805023abecce61

CodexCoin:

https://rinkeby.etherscan.io/token/0xb7f7848507a6af9c6d7560da89d4778aa1043d69

Scope

For the contracts deployed to the Rinkeby network, there will be 2 phases.

Phase 1: No fees or staking. At this point, the fees for the ERC-721 smart contract are turned off and all operations on the protocol are fee (minus gas costs). Phase 1 will take place from these dates: June 27th at 12:01 am CST to July 11th at 9:00 am CST.

Phase 2: Fees and staking are turned on. This means all operations on the ERC-721 smart contract now require fees in the form of the CodexCoin (the Codex Protocol ERC-20 token, denoted as CODX). Phase 2 will start as soon as Phase 1 ends and will end on July 22nd at 11:59 pm CST.

Before Phase 2 goes live in Rinkeby, we’ll expose faucet functionality within Codex Viewer to obtain CODX tokens.

REMEMBER: Use the deployed contracts only as a starting place. Only the code in this repository is eligible for the program, so always check here first before trying to break things in Rinkeby.

At any time, all code in the bounty repository on GitHub is fair game. Meaning, that even though during Phase 1 of the program, fees aren’t turned on, the staking contract and ERC-20 contracts are still eligible for rewards. Help us identify bugs, vulnerabilities, and exploits in the smart contract such as:

Creating duplicate tokens in the registry (contents don’t matter — but duplicate token IDs should be impossible)

Performing operations on tokens that you don’t have permissions on (transferring it, modifying metadata, etc.)

In Phase 2, when fees are turned on, performing “write” operations on the registry without paying fees or staking tokens (transfers, modifications, and creation of new Codex Records)

Impersonating one of the admin accounts to make administrator-level changes on the deployed contract

FAQ

How are the bounties paid out?

Rewards are paid out in ETH after the submission has been validated, usually a few days later. Please provide your ETH address.

I reported an issue but have not received a response. What’s taking so long?

We’ll respond to submissions as fast as possible. Feel free to email us at support@codexprotocol.com or contact the team via Telegram if you have not received a response.

Will the code change during the bounty?

Yes, but on a regular cadence (still TBD). The deployed contracts themselves won’t change, but the code in the bounty repository will. This is to avoid disrupting users that are interacting with the deployed Beta at https://beta.codex-viewer.com by continually deploying new smart contracts.