Loopring Protocol 3.0 Beta2 Bug Bounty

[mfinestone]

Loopring has allocated up to 1,000,000 LRC for those who identify significant security issues in Loopring Protocol 3.0.

Background

Loopring is an orderbook-based DEX protocol. The 3.0 version scales by migrating most storage and computation off the Ethereum blockchain. User balances and order trading histories are maintained as part of an off-chain Merkle tree per DEX. 

Requests, such as deposits, withdrawals, order cancellation, and trade settlements, are processed as batches to update the Merkle tree. For each batch, the DEX operators only need to publish a 32 bytes post-processing Merkle tree root to Ethereum - and then, asynchronously, provide a Zero-Knowledge proof to verify user balances and order trading histories have been updated strictly by the rules enforced by the protocol.

Thanks to SNARKs, Loopring can settle up to 660 trades per second. If the on-chain data-availability feature is enabled, Loopring can still settle 200 trades per second. We expect to implement a more efficient data compression solution to offer even higher throughput.

Features

The current beta release, v3beta2, supports the following features:

• Symmetric order modelling: All orders take the same format, regardless if they are maker orders or taker orders.
• Dual Authoring: This is inherited from the previous versions to prevent orders or settlement requests from being stolen.
• Order auto-scaling and partial matching.
• Withdrawal mode: When a DEX fails to fulfill duties enforced by the protocol, users can withdraw their full balances by providing valid Merkle proofs (and the DEX operator got slashed). If on-chain data-availability is on, Merkle proofs can be generated merely from on-chain data; otherwise, users will have to request data from DEX operators.
• Maintenance mode: Loopring provides a way for DEX operators to temporarily suspend user requests so they can upgrade their infrastructure. This is critical to ensure DEXes can be truly production-ready.
• Proactive withdrawal distribution: Loopring DEX operators distribute approved withdrawn balances back to users' addresses in a proactive way. This means users do not have to take a second action to get their tokens back to their own wallets - same as centralized exchanges.

Bounty Rules

• We'll pay up to 250,000 LRC for each critical bug, defined as a bug that causes all funds to be susceptible to loss;
• up to 100,000 LRC for each bug that causes one user's funds to be susceptible to loss;
• and up to 50,000 LRC for other bugs.
• **(updated) This bounty program is valid for 3 months (Oct 13, 2019).***

Performance enhancement suggestions are welcomed but do not qualify for bounties. We have many existing ideas on how to improve the throughput and/or lower the cost. That said, if your idea is truly inspiring and eventually gets adopted, we may still grant you some tokens at our discretion.

This bounty program is set up only for the Smart Contracts in v3beta2, circuits excluded. Bugs found in other versions don't qualify. The Design Doc is something you must read to understand the overall design and solidity code.

How to participate

• Create an issue at https://github.com/Loopring/protocols/issues.
• Prefix your issue with [Protocol3], and add Loopring Protocol 3 as Projects. Please also label it as Bug and Bounty . 
• If you just want to reach out to ask questions, please also create an issue -  unless there is a duplicate one, and label it as discussion instead.

Thanks! Looking forward to the community's help. Happy hunting!

Important Update:

When you identified a bug, please check if it has already been fixed on the master branch. If so, the bug is not valid for claiming a reward.

[gitcoinbot]

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

---

This issue now has a funding of 1000000.0 LRC attached to it as part of the Loopring fund.

• If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
  • Want to chip in? Add your own contribution here.
  • Questions? Checkout Gitcoin Help or the Gitcoin Slack
  • $130,376.80 more funded OSS Work available on the Gitcoin Issue Explorer

[gitcoinbot]

Issue Status: 1. Open 2. Cancelled

---

Work has been started.

These users each claimed they can complete the work by 2 years, 4 months ago. Please review their action plans below:

1) kris30pl has started work.

i want recive something i work and nothing 2) evertonmelo has started work.

I found an incompatibility between dependencies. I'll report it as an "issue." 3) reslake has started work.

0x71C7656EC7ab88b098defB751B7401B5f6d8976F 4) wew0011001 has started work.

I can help in security bug and i need most of financial. 5) davidbanu has started work.

Would love to take part in this bug bounty... 6) maskerwind has started work.

find and submit bugs find and submit bugs find and submit bugs find and submit bugs

Learn more on the Gitcoin Issue Details page.

[ryanleecode]

Just FYI, i don't think we have permissions to set labels / add to projects

[dong77]

Just FYI, i don't think we have permissions to set labels / add to projects

That's fine without adding project/labels.

[k06a]

Is it still active?

[Brechtpd]

@k06a The end date of the bug bounty is October 13.

[dong77]

According to my stats, only 1 participant submitted 1 issue for upgrading npm packages, which is not a bug at all. The other participants have no output.

Stats

• kris30pl - No issue submitted, No work done.
• reslake - No issue submitted, No work done.
• wew0011001 - No issue submitted, No work done.
• davidbanu - No issue submitted, No work done.
• maskerwind - No issue submitted, No work done.
• EvertonMelo - 1 issue submitted for npm package upgrade

[gitcoinbot]

Issue Status: 1. Open 2. Cancelled

---

The funding of 1000000.0 LRC (45940.0 USD @ $0.05/LRC) attached to this issue has been cancelled by the bounty submitter

• Questions? Checkout Gitcoin Help or the Gitcoin Slack
• $93,125.85 more funded OSS Work available on the Gitcoin Issue Explorer