We’re excited to announce that we are conducting a bug bounty for all contracts relevant for our upcoming DutchX release as well as the Initial OWL Generation. We believe bug bounties are essential to ensuring a safe release, and are especially important when funds are being exchanged. Learn all about the mechanism design of our DutchX here.

All contracts part of this bug bounty program have been audited independently by three auditors of Solidified with the results report published here. After the audit, we implemented some changes to our code. These changes were reviewed in a second step by all involved auditors to ensure that the alterations did not include new bugs. After the audit, a bug bounty was released within the Solidified auditor community. No confirmed bugs were found thus far.

Now that the audit is successfully completed and a first round of bug bounty has been finished, we’re starting the public bug bounty program. This blog post contains all the relevant information such as scope, timeline, and compensation of the program.

Most of the Ethereum Foundation bug bounty program rules also apply for the DutchX bug bounty program:

Issues that have already been submitted by another user or are already known to the Gnosis team are not eligible for bounty rewards.

Public disclosure of a vulnerability makes it ineligible for a bounty.

The Gnosis core development team, employees, and all other people paid by Gnosis, directly or indirectly (including the three Solidified auditors), are not eligible for rewards.

The DutchX bounty program considers a number of variables in determining rewards. Determinations of eligibility, score, and all terms related to an award are at the sole and final discretion of the DutchX bug bounty panel.

Program Scope

The scope of our bug bounty program includes all contracts related to the DutchX as well as the Initial OWL Generation.

In scope:

a) DutchX contracts

DutchExchange

Proxy

Medianizer (Note: This is the copy of the MakerDAO price feed)

PriceOracleInterface

TokenMGN

b) Initial OWL Generation contracts (Note: The bug bounty for these contracts has terminated with their deploy on the mainnet on June 21st, 2018; see section Timeline below)

Initial OWL Generation (“OWLAirdrop”)

Proxy

TokenOWLProxy

TokenOWL

Examples of what’s in scope:

Being able to generate more or less Magnolia than intended

Being able to steal participants’ funds or Magnolia (or those in the DutchX contracts or Initial OWL Generation contracts)

Being able to reduce liquidity contributions without holding the appropriate amount of Magnolia

Being able to pay more than half of liquidity contribution OWL

Being able to get tokens stuck (other than via the known weakness)

Being able to change auctioneer parameters without being an auctioneer

Bugs related to the integration of the MakerDAO price feed

Being able to generate too many/too few OWL in the Initial OWL Generation contracts

Being able to get GNO tokens stuck in the Initial OWL Generation contracts

Out of scope:

Bugs related to the Internet Explorer

Any bots that might run on top of the smart contracts

Most user experiences related to the front-end

Further examples of what’s out of scope:

More efficient gas solutions

Any points listed in the list of already known weaknesses

Any points listed in the audit results report

Intended Behavior

a) DutchX contracts

The purpose of the contracts is to facilitate trading of Ethereum tokens based on the principle of Dutch Auctions as described in this documentation.

b) Initial OWL Generation contracts

OWL tokens are generated by locking GNO tokens. One locked GNO will generate 10 OWL. Every GNO can only be used once to generate OWL in this initial OWL generation process. Locked GNO tokens cannot be traded or transferred until a certain date (still to be determined). From this specific date onwards, GNO can be reclaimed. OWL tokens are credited immediately upon locking GNO.

Timeline

As of this post, the bug bounty program is considered started and valid reports of bugs will be compensated moving forward. The bounty program will run on a testnet first. Once we release to the mainnet, the same scope applies for mainnet bugs. The bug bounty will continue even after the DutchX release.

However, the bounty program for the Initial Owl Generation Contracts will only run until the contract goes live on the mainnet. *Update: The contracts were deployed on the mainnet on June 21st, 2018. Thus, the bug bounty for these contracts has now terminated. Any bugs reported before June 21st, 2018, are accepted.

Compensation

Rewards will be based on the below listed scores, but are ultimately determined at the sole discretion of the Gnosis bug bounty panel.

High: up to $20,000 Medium: up to $5,000 Low: up to $1,000

All bounty will be paid in ETH.

Any bugs (they do not need to necessarily lead to a redeploy) will be considered for bounty. An attack identified that could steal funds, tokens, or Magnolia would be considered a high threat. If there was a way for someone to reduce liquidity contributions without holding the appropriate amount of Magnolia, the bug would be considered a medium threat. A reported bug that on its own leads to a redeploy of the code will always be considered as high.

Please note that the submission’s quality will factor into the level of compensation. A high quality submission includes an explanation of how the bug can be reproduced, a failing test case, and a fix that makes the test case pass. High quality submissions may be awarded amounts higher than the amounts specified above.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report.

We ask that:

You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.

You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.

You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)

You do not violate any other applicable laws or regulations.

Reporting

Public disclosure of the bug or indication of an intention to exploit it on the mainnet will make the report ineligible for a bounty. If in doubt about other aspects of the bounty, most of the Ethereum Foundation bug bounty program rules will apply.

Please report bug bounty submissions to bounty@gnosis.pm.

Don’t forget to include your ETH address so you can be rewarded (if more than one address is specified, only one will be used at the discretion of the Gnosis bug bounty panel).

Anonymous submissions are welcome.