search

crypto-bug-hunters / bug-buster

🪲 Bug Buster, a bug bounty platform powered by Cartesi Rollups
https://x.com/BugBusterApp
Apache License 2.0
10 stars 10 forks source link

Copy bounties to `/bounties/examples` #102

Closed guidanoli closed 4 months ago

guidanoli commented 4 months ago

Closes #100

guidanoli commented 4 months ago

You can inspect the /bounties/examples directory by running cartesi build, then cartesi shell, and then...

ls -1 /bounties/examples/

This is the output for my case. It depends on what bounties you have compiled locally.

busybox-1.36.1-bounty_riscv64.tar.xz
lua-5.4.3-bounty_riscv64.tar.xz
lua-5.4.6-bounty_riscv64.tar.xz
solidity-0.8.24-bounty_riscv64.tar.xz
sqlite-3.32.2-bounty_riscv64.tar.xz
sqlite-3.43.2-bounty_riscv64.tar.xz

The largest one by far is the Solidity compiler bounty. You can check how much space are the bounty examples occupying by running:

du -h /bounties/examples/

In my case, it's 4.5 MB big. Considering the machine image as a whole is 247 MB, I wouldn't say it would take a too big of a toll on the disk and RAM of the node.

claudioantonio commented 4 months ago

Hey @guidanoli ! I don't think we should add the Solidity compiler bounty to the /bounties/examples folder because we don't have an exploit already known for it and then users will not be able to play with it. My understanding is that the Solidity compiler is the first real bounty (or official bounty), funded by the foundation, that we will make available to hackers to try to find a exploit.

Here comes my thoughts for us to shape together:

  1. I loved the idea of having some built-in example bounties. I think 2 are good: SQLite and BusyBox, for example.
  2. I think we should have another folder for real bounties (/bounties/official ?)
  3. I would not add all examples that we have today as built-in to allow users experiment sending them as inputs. We could left the Lua one for users experiment sending a bounty via input. PS: You can change the bounties for the usage I mentioned above at will, ok?

What do you think? Can we move forward this way?

guidanoli commented 4 months ago

Hey @claudioantonio!

I don't think we should add the Solidity compiler bounty to the /bounties/examples folder because we don't have an exploit already known for it and then users will not be able to play with it.

Yes, you are right, Solidity 0.8.25 has no known exploits. However, I think it would be beneficial to have the Solidity bounty included in the machine, so that we can test it on Optimism Sepolia. This would allow us to catch any bugs at this early stage, and not on production.

I think we should have another folder for real bounties (/bounties/official ?)

It would complicate the Dockefile, though... Right now, we can just do a test/bounties/**/*.tar.xz glob, but if we were to create separate folders for example and real bounties, we'd have to copy bounties one-by-one.

I would not add all examples that we have today as built-in to allow users experiment sending them as inputs. We could left the Lua one for users experiment sending a bounty via input.

I don't see why we need to filter out some bounties, just so we can force users to add them through calldata. If a user wants, they can upload bounties even if they are built-in.

claudioantonio commented 4 months ago

I think we should have another folder for real bounties (/bounties/official ?)

It would complicate the Dockefile, though... Right now, we can just do a test/bounties/*/.tar.xz glob, but if we were to create separate folders for example and real bounties, we'd have to copy bounties one-by-one.

Not the time to complicate things! I will approve the PR so we can keep the plan and we can discuss more the adjustments for the next steps. 😉