At DeFiChain, the security of our users is our number one priority. That’s why we’re looking to harness the value of security professionals as well as developers within the community. Our Bug Bounty program underscores our values and serves our mission in becoming the most trusted and transparent blockchain protocol that enables DeFi functionalities for the bitcoin blockchain. DeFiChain’s bug bounty program awards up to US$ 50,000 in DFI for vulnerabilities in the DeFiChain code.
How to participate
There are many ways to join the program to help find and identify vulnerabilities in the DeFiChain code. You can start by connecting to the DeFiChain testnet by running defid -testnet. Alternatively, you could also study our source code at GitHub.
If you find a bug through interacting with our program and/or studying our source code, we can offer a bug bounty reward of up to USD 50,000 worth of DFI, provided that the issue is deemed significant, and you are able to provide useful info in regards to fixing or reproducing the issue.
Be sure to study the code that is tagged for official releases, not the master branch or other code still currently under development.
Security is a sensitive issue, hence we encourage our users not to submit public issues regarding the security of the blockchain. We encourage users to use their own discretion — if you feel the issue is not something the public can easily exploit, then feel free to create an issue at the repo over at GitHub. If the issue presents a critical exploit, then please email us instead at firstname.lastname@example.org.
In your submission please include:
- A clear description of the issue.
- A fix for the issue, preferably as a pull request.
- If unable to provide a fix, then please provide clear directions on how to reproduce the issue.
- Your email address or other relevant contact details (e.g. Telegram ID).
- Your DFI address for receiving the bounty if your submission is approved.
Upcoming Bug Bounty Opportunities
We just recently launched our Eunos upgrade with some really groundbreaking new features. One of these features is our unique Interchain Exchange and atomic swap capabilities. A tutorial on how both features work on DeFiChain can be found here; a step-by-step walkthrough on how the interchain exchange works can be obtained here.
In order to thoroughly test our Interchain Exchange, we are about to set up a market-making bot with 0.1 BTC on each side to act as a market-maker to allow anyone intending to use it to take on the order instead of having to wait for makers. It’s not live yet and still under development. More about the bot can be found here.
The Interchain Exchange and atomic swaps are live on the mainnet. If you find security issues or any other vulnerabilities in the code, then you might be eligible for our bug bounty program as per the terms above.
Our first bounty awarded over 5,000 DFI, equivalent to more than US$ 15,000, was granted to Dr. Daniel Cagara for his discovery of a critical security related bug, which has already been fixed and upgraded. Dr Cagara is also topping our leaderboard with a total award of 13,000 DFI or close to 39,000 USD.
The most recent bug bounty payouts were awarded for 3 security-related bug disclosures by Dr. Daniel Cagara. All of these issues have already been fixed on the mainnet. Here are some insights into the respective bugs:
3rd-party masternode fund lockup issue: 1,500 DFI
- This issue, if unfixed, allowed users to lock up a 3rd party custodian's fund, such as an exchange, and use it as collateral for masternode.
- This is now addressed on mainnet. You need to prove ownership of the custodian address when creating a masternode.
Probabilistic side mining exploit: 2,500 DFI
- With coinage, users can probabilistically guess the next few successful masternodes that are about to mine the next few blocks.
- It is a problem because you can create a huge number of addresses at the side and monitor which ones are likely to get to mine the 11th block (it takes 10 blocks to register) before registering. This gains an unfair advantage.
- As far as I know, this is a theoretical exploit and is not exploited in the wild.
- This is now mitigated by requiring 1,008 blocks for newly registered masternodes to be activated. Also coupled with the speedy masternode feature, it is improbable now to be able to correctly guess the next masternodes and gain an unfair advantage by "side mining".
- A longer activation period for masternodes also adds to overall PoS network security and stability with a masternode list that is more permanent.
Dropping of masternode through transaction malleability: 4,000 DFI
- A penalty feature is built-in to prevent a masternode from staking on multiple forks. This penalty feature is not yet enabled on mainnet by any masternodes, however the transaction was valid on mainnet if a masternode was able to submit a proof that a masternode has been staking on multiple forks.
- The penalty will result in the masternode getting banned from the chain, requiring the affected masternode to have to re-register and wait for 1008 blocks to be activated again.
- However, transaction malleability allows for malicious masternode to craft a bad proof, causing honest masternodes to be banned.
- This issue is now removed from mainnet by invalidating the penalty transaction. This has never been exploited on mainnet.