gitcoinbot
commented
6 years ago Issue Status: 1. Open 2. Started 3. Submitted 4. Done
This issue now has a funding of 3.0 ETH (614.04 USD @ $204.68/ETH) attached to it as part of the Coinvest fund.
- If you would like to work on this issue you can 'start work' on the Gitcoin Issue Details page.
- Want to chip in? Add your own contribution here.
- Questions? Checkout Gitcoin Help or the Gitcoin Slack
- $56,636.86 more funded OSS Work available on the Gitcoin Issue Explorer
RobertMCForster
Coinvest has opened our V3 token and Investment contracts bug bounty!
Details
Our readme has details on the operation of the contract. Please review that before posting any bounties.
Contracts
The contracts in scope are: Bank.sol CoinvestToken.sol Investment.sol Ownable.sol SafeMathLib.sol TokenSwap.sol UserData.sol
Additional Intended Behavior
Coinvest Token: The COIN token is based on the ERC865 standard. This allows users to pay gas using COIN instead of ether when the transaction is sent through a delegate.
The previous version of the COIN token had a transaction malleability error stemming from using signatures as unique identifiers so keep an eye on this contract!
There is also a TokenSwap contract created in order to allow for the exchange of COIN V1 and COIN V2 to COIN V3. V1 is an ERC223 token, V2 is our old ERC865, and V3 is our new ERC865.
Investment, UserData, and Bank: These contracts form an investment system that allows users to purchase and sell singular and indexed assets at market price. When a user purchases, CryptoCompare is queried through Oraclize for the current price of the asset, then funds are transferred from the user to the bank for safe-keeping.
UserData is then modified on a successful purchase and will keep track of all user holdings.
Buys and sells must be able to be made using COIN, must be able to be made using our token's pre-signed system, and must be able to exchange COIN for CASH or vice versa (to name a few requirements). CASH is a stablecoin element of our system that is not yet being launched, so for now we also need to be sure no vulnerabilities come from NOT having CASH.
The pre-audit version of this contract had a bug related to how the CryptoCompare API returns results so make sure to examine all parts of the system.
Rewards
Critical: 15 ETH A critical bug is a bug that will enable stealing of funds, major loss of funds, or permanent disablement of a contract.
Major: 5 ETH A major bug significantly affects the ability of the contract to operate. These would include ERC incompatibilities (ERC865 not applicable because of its lack of maturity) and certain functions being unable to operate.
Minor: 1 ETH Minor bugs entail an issue regarding the contract not operating as it was designed, but in a non-threatening manner.
Contact Info
Please submit any bugs to security@coinve.st--all bugs should be e-mailed to us, not submitted as an issue. The Token Bug Bounty will end on 11/4/18 and the Investment Contracts Bug Bounty will continue indefinitely. All rewards are issued at the sole discretion of the Coinvest team.