Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Bounty: up to 50 ETH] Multiple Arbitrable Transaction #243

Open
n1c01a5 opened this issue Mar 22, 2019 · 9 comments

Comments

Projects
None yet
5 participants
@n1c01a5
Copy link
Member

commented Mar 22, 2019

Multiple Arbitrable Transactions Bounties

This is a bug bounty on the Multiple Arbitrable Transaction contract.
Bugs are rewarded up to 50 ETH according to this classification:

  • Critical Bugs: 50 ETH
    for bugs that enable stealing significant user funds.
  • Major Bugs: 25 ETH
    for bugs that can lock user funds or enable stealing a low amount (such as the fees) of them.
  • Minor Bugs: 5 ETH
    for smaller bugs.

If you found a bug you can send a mail to clement@kleros.io and nicolas@kleros.io.

Multiple Arbitrable Transactions

  • Sender makes an arbitrable transaction to a receiver. It can be automatically executed after _timeoutPayment.
  • The sender can have the contract pay (in part of totally) the amount using pay.
  • The receiver can have the contract reimburse (in part or totally) the sender by using reimburse.
  • Both parties can pay arbitration fees, giving some time to the other to pay the fees too to create a dispute. If one party fails to pay the fees, this party forfeits the amount.
  • Note that in case the arbitrator changes the fees after one party paid it, the burden of fee payment can make multiple back and forth. In practice, fees should not change that often and it should be an edge case. Extra fees due to over-payment or fee change are reimbursed.
  • The arbitrator which is ERC792 can rule disputes in favor of either party. The winning party gets the amount in the contract and is reimbursed the fees.
  • If the arbitrator "rules 0", the amount in the contract (initial value and remaining fees) is split within the parties (weis being trapped due to rounding are OK).

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips".

Bounty Rules

  • If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
  • All this code is provided under MIT license and can be reused by other projects. If you don't hesitate to inform us and we may list your deployed contracts in the @deployed of the RAB pragma.
  • Good luck hunting and have fun hunting!

@n1c01a5 n1c01a5 added the Bounty 💰 label Mar 22, 2019

@n1c01a5 n1c01a5 pinned this issue Mar 22, 2019

@gitcoinbot

This comment has been minimized.

Copy link

commented Mar 27, 2019

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


This issue now has a funding of 5.0 ETH (691.06 USD @ $138.21/ETH) attached to it as part of the @kleros fund.

@gitcoinbot

This comment has been minimized.

Copy link

commented Apr 8, 2019

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work has been started.

These users each claimed they can complete the work by 1 day, 4 hours from now.
Please review their action plans below:

1) scammi has started work.

I'm reviewing you contract, I will contact the email with the report.

Thank you.
Santiago from Buenos Aires. Arg.

Learn more on the Gitcoin Issue Details page.

2) biuxmaster has started work.

I pretend to review this contract . I will contact the email with the report.

Learn more on the Gitcoin Issue Details page.

@gitcoinbot

This comment has been minimized.

Copy link

commented Apr 23, 2019

Issue Status: 1. Open 2. Started 3. Submitted 4. Done


Work for 5.0 ETH (864.55 USD @ $172.91/ETH) has been submitted by:

  1. @biuxmaster

@clesaege please take a look at the submitted work:


@biuxmaster

This comment has been minimized.

Copy link

commented Apr 23, 2019

Hi, I sent the report of my work via email for the 2 accounts that are on the description, I hope it's what you need

@marsrobertson

This comment has been minimized.

Copy link

commented May 1, 2019

  1. Deadline of the submissions? (make it ongoing)

  2. Add to the list: https://consensys.github.io/smart-contract-best-practices/bug_bounty_list/

Issues and PRs are welcome to add new bounties, or remove those which are no longer active.

https://github.com/ConsenSys/smart-contract-best-practices/blob/master/docs/bug_bounty_list.md

(assuming the bounty is ongoing)

More eyeballs = higher security.

At first I was overwhelmed by the complexity, after participating in the hackathon I got the understanding of what's going on but I'm a little bit tired... Need to allow some time to rest :)

@clesaege

This comment has been minimized.

Copy link
Member

commented May 3, 2019

@biuxmaster What was your email title (we got reports but I don't know if it was from you, so just want to be sure I haven't missed any).

@clesaege

This comment has been minimized.

Copy link
Member

commented May 13, 2019

@marsrobertson Found minor issue:
In case a party paid the fee, the fee increased, the second payed the fee, but the first one timed out, the first fee paid stayed locked in the contract forever.
This should have been fixed by 770cdda#diff-1784bdab8a238afa7c94981e245fd676
The bounty is paused for 3 days (for issues which would be related) to allow Kleros team to review those changes.

@marsrobertson

This comment has been minimized.

Copy link

commented May 14, 2019

I can confirm the issue is relatively minor, edge case, unlikely scenario, a few things would need to happen, I don’t think it would ever occur in real usage.

(nevertheless, bug is a bug, it shouldn't happen even if we assume it is unlikely)

The team responded quickly and provided fix ASAP.

🥚🥚🥚Happy hunting 🥚🥚🥚

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.