Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Bounty: up to 50 ETH] Kleros Governor #155

Open
clesaege opened this issue Nov 22, 2019 · 0 comments
Open

[Bug Bounty: up to 50 ETH] Kleros Governor #155

clesaege opened this issue Nov 22, 2019 · 0 comments
Labels

Comments

@clesaege
Copy link
Member

@clesaege clesaege commented Nov 22, 2019

Kleros Governor Bounties

This is a bug bounty on the Kleros Governor contract.
Bugs are rewarded up to 50 ETH according to this classification:

  • Critical Bugs: 50 ETH
    for bugs that allow an attacker to make the governor execute arbitrary transactions.
  • Major Bugs: 25 ETH
    for bugs that can lock a non negligible amount user funds or enable stealing a non negligible amount of user funds.
  • Minor Bugs: 5 ETH
    for smaller bugs which can still produce a non negligible amount of harm to users.

If you find a bug you can send a mail to clement@kleros.io. In case of dispute about the classification of a bug, Kleros will be used to solve it.

Kleros Governor

The Kleros Governor is gonna be the governor of most Kleros applications. It implements, through smart contract calls, the decisions made in plain English by the Kleros governance mechanism.

  • Anyone can submit a list of transactions to execute, corresponding to decisions which were made by the governance mechanism. A deposit is required.
  • If a submitter notice that a similar list have been submitted, it can withdraw its list within withdrawTimeout. This can only be done during the first half of the submission period.
  • Once the submission period is over
    • If no list were submitted, a new submission period starts. Note that in practice, this should not happen as someone should submit the empty list if no decisions were made.
    • If one list was submitted, this list is approved and the submitter deposit reimbursed.
    • If more than one list was submitted, a dispute is created.
  • The arbitrator (Kleros), rules on the list which corresponds to what was decided in plain English by the governance mechanism. This list is approved. The submitter who submitted the chosen list is awarded the sum of submission deposits minus what was used to pay the arbitration fees. If the arbitrator refuses to arbitrate, no list is approved and the deposits are kept by the contract.
  • There is an appeal mechanism. Appeal fees can be crowdfunded. If only one side paid its appeal fees, this side is considered to be the winning side.
  • As soon as 2 side paid appeal fees, an appeal is created.
  • After a ruling is made, crowdfunders can withdraw:
    • If the side they were crowdfunding for did not reach the required amount, their contributions are reimbursed.
    • If the winning side did not reach the required amount (also the case in case of "refuse to arbitrate ruling"), the remaining part of deposits (after arbitration fees are paid) are reimbursed proportionally to contributions.
    • If the winning side reached the required amount, crowdfunders of this side are awarded the remaining part of the deposits (after arbitration fees are paid).
  • Anyone can execute approved transactions.

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips" (you may get a few PNK for it).

Bounty Rules

  • If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
  • This bounty may be advertised on multiple platforms. Bounties are only awarded to the first person finding the bug irrespective of the platform.
  • All this code is provided under MIT license and can be reused by other projects. If you do, don't hesitate to inform us and we may list your deployed contracts in the @deployed of the RAB pragma.
  • Good luck hunting and have fun hunting!

Extra info

Extra information are given for informational purpose. This allows you to see the bigger picture of what the contract is made for.

@clesaege clesaege added the Bounty💰 label Nov 22, 2019
@clesaege clesaege pinned this issue Nov 22, 2019
@clesaege clesaege changed the title [Bug Bounty: up to 10 ETH] Kleros Governor [Bug Bounty: up to 25 ETH] Kleros Governor Dec 9, 2019
@clesaege clesaege changed the title [Bug Bounty: up to 25 ETH] Kleros Governor [Bug Bounty: up to 50 ETH] Kleros Governor Dec 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.