Closed SamPorter1984 closed 2 years ago
gitcoinbot
commented
3 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This issue now has a funding of 0.001 ETH (2.29 USD @ $2293.97/ETH) attached to it.
gitcoinbot
commented
3 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
Workers have applied to start work.
These users each claimed they can complete the work by 265 years, 7 months from now. Please review their action plans below:
1) millieg4 has applied to start work _(Funders only: approve worker | reject worker)_.
So he is stealing well time to set up a rat trap....
Learn more on the Gitcoin Issue Details page.
SamPorter1984
commented
2 years ago Not an issue anymore
gitcoinbot
commented
2 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
The funding of 0.001 ETH attached to this issue has been cancelled by the bounty submitter
SamPorter1984
commented
2 years ago Looks too scammy with this amount
Why so low? Can it go any lower? Well it is supposed to be $1000000, but since I can't project or imply any returns, in my eyes LET token is always $0, and if it somehow isn't - then it will dump to $0. That if, you are from US. $1000000? Why so high? Is this a scam? We believe that a company usually can't have a bug bounty this high since it's a group of people and they can't have confidence in the code, especially if it's in active on-going development. On the other hand, smallest teams and solo developers can have confidence. Let's see if I ever have to pay this
Bug bounty for live mainnet contracts on Ethereum Blockchain. More contracts will be added to this list, as soon as we find it suitable and ready for Audit/Bug Bounty program.
LET token trust minimized proxy: https://etherscan.io/address/0xed7c1848fa90e6cda4faac7f61752857461af284#code
LET token current implementation which can't be upgraded until certain block: https://etherscan.io/address/0xb321c6207a215360ac376a816c44b77347d9dc53#code
Founding Event: https://etherscan.io/address/0x31a188024fcd6e462abf157f879fb7da37d6ab2f#code
Staking trust minimized proxy: https://etherscan.io/address/0x93bf14c7cf7250b09d78d4eadfd79fca01bad9f8#code
Staking current implementation which can't be upgraded until certain block: https://etherscan.io/address/0x2f31e7527e69d235bf77b514dd5230941e6a9855#code
Treasury trust minimized proxy: https://etherscan.io/address/0x05658a207a56aa2d6b2821883d373f59ac6a2fc3#code (overflow bug was already noticed, is being fixed by plugging in logic locking it in proxy and this logic must have additional limits)
Treasury current implementation which can't be upgraded until certain block:
Oracle registry trust minimized proxy: https://etherscan.io/address/0x742133180738679782538c9e66a03d0c0270ace8#code
Oracle registry current implementation which can't be upgraded until certain block:
Job market trust minimized proxy:
Job market current implementation which can't be upgraded until certain block:
Assume that deployer is also an attacker(deploying first malicious logic for job market and oracle registry does not count though, this is covered by game theory, assuming that founding event will last much longer than the limit also does not count as a bug, since it's intended behavior, and proxy locks are going to be prolonged accordingly). Anything basically, what if contracts were initialized in a wrong way, typos in hardcoded addresses, etc
severe/critical vulnerability allows attacker to steal at least an equivalent of $1000 or more in LET tokens or LET-ETH LP tokens or Ether in a span of 24 hours or less from an address that does not belong to the attacker(or just lose/terminate an equivalent of $1000 or more in a span of 24 hours or less from an address that does not belong to the attacker) strictly by interacting with aforementioned contracts as an attacker, so without social engineering without directing users to a malicious dApp interface, without counting for Ethereum 51% attacks, etc - $1000000 in LET tokens(Assuming that LET will have value, probably not)
moderate vulnerability allows attacker to steal less than an equivalent of $1000 in LET tokens or LET-ETH LP tokens or Ether in a span of 24 hours or less from an address that does not belong to the attacker(or just lose/terminate an equivalent of less than $1000 in a span of 24 hours or less from an address that does not belong to the attacker) or moderate vulnerability does not allow attacker to steal money but rather somehow interrupt intended behavior of aforementioned contracts, for example not to lose participants' money but drop their rewards to 0 or something - $100000(Assuming that LET will have value, probably not)
low vulnerability is anything that does not fit into severe/critical or moderate vulnerability definition in the issue - $10000(Assuming that LET will have value, probably not)
The bounty for low and moderate vulnerabilities could decrease though, if I will get spammed with useless submissions. The bounty for severe/critical vulnerabilities will never decrease even if I get spammed with useless submissions.
For transparency all vulnerabilities can be and should be submitted publicly(anywhere where I can't possibly delete it, and then you can drop a link with explanation of vulnerability here to this bounty), even if it's a critical vulnerability which can be exploited by anybody. Everybody should know that it was you who discovered something to minimize trust for payment. But of course, if you feel like it's best to notify in pm, you can reach out on Twitter https://twitter.com/SamPorter1984 or Telegram https://t.me/SamPorter1984
The bounty will be paid overtime out of allocation of the developer who wrote these contracts(in this case me). 75% of maximum possible emission my allocation has will always go to reward bug bounty, if there is any reward to pay. The bounty or a part of the bounty will be paid monthly according to monthly index of LET to USD. If the project fails to gain sufficient enough value for me to ever pay you the bounty, can only pay as much as possible and say thanks.
Submitting the bug report for any contracts or programs not mentioned here won't get you money, we know that our drafts are probably vulnerable. Commented out code does not count either. If I discover a vulnerability myself first - I will publicly announce this, and after that I am not obliged to pay you for rediscovering it, that's another reason why you may want to first publicly announce discovered vulnerability instead of dropping it to me in pm, to again, remove trust, because I could not find a way yet for me to prove the integrity of my intention to pay. You have to have low enough IQ to understand what the project is about and see what it means to put my reputation at stake even if I am anonymous and work with trust minimized proxies.
If you publicly report something, but I won't pay you - I destroy my reputation and the reputation of this project, and it's impossible for me to de-risk it like a typical ICO, I can claim all my tokens only in 34 years or so from inception(depends on block time)
The history of edits of this Github issue can be easily tracked as long as Github works correctly. If I remove the issue from Github - I also damage the reputation of the project.
There is no way for me to remove your comment from your Gitcoin page as long as Gitcoin works correctly. If I cancel the bounty - I also damage the reputation of the project.