[Bug Bounty: up to 50 ETH] Multiple Arbitrable Token Transaction

[clesaege]

Multiple Arbitrable Token Transactions Bounties

(Note that this is different from Multiple Arbitrable Transactions)

This is a bug bounty on the Multiple Arbitrable Token Transaction contract. Bugs are rewarded up to 50 ETH according to this classification:

• Critical Bugs: 50 ETH for bugs that enable stealing a high amount of user funds.
• Major Bugs: 25 ETH for bugs that can lock user funds or enable stealing a low but non negligible amount (such as the fees) of them.
• Minor Bugs: 5 ETH for smaller bugs.

If you find a bug you can send a mail to clement@kleros.io. In case of dispute about the classification of a bug, Kleros will be used to solve it.

Multiple Arbitrable Token Transactions

• The main payment is done in a token but fees are paid in ETH.
• Sender makes an arbitrable transaction to a receiver. It can be automatically executed after _timeoutPayment.
• The sender can have the contract pay (in part of totally) the amount using pay.
• The receiver can have the contract reimburse (in part or totally) the sender by using reimburse.
• Both parties can pay arbitration fees, giving some time to the other to pay the fees too to create a dispute. If one party fails to pay the fees, this party forfeits the amount.
• Note that in case the arbitrator changes the fees after one party paid it, the burden of fee payment can make multiple back and forth. In practice, fees should not change that often and it should be an edge case. Extra fees due to over-payment or fee change are reimbursed.
• The arbitrator which is ERC792 can rule disputes in favor of either party. The winning party gets the amount in the contract and is reimbursed the fees.
• If the arbitrator "rules 0", the amount in the contract (initial value and remaining fees) is split within the parties (weis being trapped due to rounding are OK).

Bounty

Smart Contract Guidelines

We use those guidelines to write smart contracts. In particular, we do not try to prevent stupid behaviors at the contract level but leave this task to the UI. Letting the possibility to a user to harm itself is not a vulnerability (but should of course be dealt at the UI level).

Violation of guidelines are not vulnerabilities but can be reported as "suggestion for tips".

Bounty Rules

• If you have any questions, don't hesitate to ask on the slack channel (slack.kleros.io #smart-contract-review) or by sending a mail to clement@kleros.io .
• This bounty is advertised on multiple platforms. Bounties are only awarded to the first person find the bug irrespective of the platform.
• All this code is provided under MIT license and can be reused by other projects. If you don't hesitate to inform us and we may list your deployed contracts in the @deployed of the RAB pragma.
• Good luck hunting and have fun hunting!

[marsrobertson]

Today @clesaege pinged me on Telegram about this bounty: https://web.solidified.io/contract/5d42a5e426e31a0017e77fa6

Previously I was able to find an edge case and was rewarded 5 ETH prize: https://github.com/kleros/kleros-interaction/issues/243#issuecomment-492206561

I have compared these two contracts, here is a diff: https://www.diffchecker.com/6ELoANie

Because I reviewed the previous contract, I was able to see what are the differences - they are only related to the sending ETH and sending ERC20.

As a result - these two are very similar and I believe it is safe.

[clesaege]

It has been live for quite some times without bugs found. I close to put bounties on new stuff.