search

EthereumCommonwealth / Roadmap

GNU Lesser General Public License v2.1
57 stars 17 forks source link

ETC multisig wallet bug bounty. #46

Closed Dexaran closed 6 years ago

Dexaran commented 6 years ago

Scope

  1. MultisigWallet.sol

  2. DayLimit.sol

  3. Multisig.sol

  4. Shareable.sol

Contract overview

This is an implementation of a Multisig wallet smart-contract. This Wallet smart-contract is designed to store funds and restrict access to funds management.

The main goal of this wallet is to serve a storage of the official donations for the Ethereum Classic development.

Bug bounty

1. $10,000 for finding a critical bug.

A critical error is an error that can be directly exploited and violate the workflow of contracts or lead to a breach of contract operability. A critical error is an error, as a result of which the wallet owners lose access to the funds in the wallet, or the attacker gets access to these funds.

2. $2000 for security vulnerabilities and bugs, that could not be directly exploited but can affect contracts in some specific circumstances.

Any bugs that can occur in some specific circumstances and violate contracts workflow or lead to a breach of contract operability. A security vulnerabilities is an error, as a result of which the wallet owners lose access to the funds in the wallet, or the attacker gets access to these funds.

3. $100-500 for code flaws that can not cause a direct loss of funds.

Any code flaw reports that can violate the contract's workflow.

This does not apply to getter functions and comment improvements.

Participate

Submit an issue at the Multisig contracts repo: https://github.com/EthereumCommonwealth/ethereum-classic-multisig/issues

The first person who submits the issue bugreport will be paid if the problem reported is considered to be an error.

For any questions: dexaran@ethereumclassic.org

Payments

The reward will be paid in ETC (Ethereum Classic cryptocurrency).

Timeframes

Bugbounty is relevant from February 12, 2018 to February 19, 2018.

cseberino commented 6 years ago

Dexaran: Thanks for all you do! Keep up the good work!

Dexaran commented 6 years ago

I am shutting down the Ethereum Classic multisig smart-contract bug bounty.

Bug Bounty results.

3 issues were reported in total:

  1. Missing documentation of Multisig.sol contract. (Not a security issue)

  2. A single owner can disrupt a vote for a set of multisig contract operations. (Undocumented opportunity/minor code flaw. Not a security issue)

  3. Two Owners might be able to drain the MultisigWallet. (Assumes that two owners can find a keccak256 hash collision. Not an issue of multisig contract)

No critical issues were reported.