[Bounty -ongoing] Security Bug Bounty - VeChainThor Blockchain






  • Cybersecurity of the company and the security of our users' data is a top priority for us, therefore VeChain launched a bug bounty program to find vulnerabilities and pay rewards.

    Scope

    This program ONLY limits to the VeChainThor code.

    Do code review for logical and security mistake in our testnet: VeChainThor is a new public blockchain that was written from scratch by the VeChain team. VeChainThor leveraged some of the features of Ethereum such as EVM. The VeChain team has added a lot enterprise friendly features at the core blockchain level so that it could be easily used by any developer or user on the platform. Some of the major features are:

    • VET / VTHO dual token system, only VTHO will be consumed by the payment and smart contract execution
    • Multi-party payment protocol
    • Completely new transaction model
    • Proof of Authority consensus

    Installation

    Thor is VeChain's new generation blockchain project. It's the official implementation written in golang.

    1. Download mainnet source code, vendor dependency packages and VeChain Thor Tutorial via Github.
    2. Connect to the testnet, generate wallet address by yourself and receive test tokens via faucet.

    What to look for
    Protocol and Network

    • Conceptual and practical security issues in the formal specification of the protocol.
    • Misaligned / unintended economic incentives and game theoretic flaws.
    • Security weaknesses / attacks on the P2P communication protocol and PoA consensus algorithm.
    • Attacks
    • Scenarios for DoS attacks.
    • 51% and other X% attacks
    • Finney attacks
    • Sybil attacks
    • Replay attacks
    • Transaction / messages malleability
    • Server configuration issues (open ports) Node function validation
    • Lack of validations of blocks, transactions and messages
    • Transaction
    • Block
    • Chain
    • Ethereum Virtual Machine code execution such as built-in contract, native function
    • Contract creation
    • Message calls
    • Calculation and enforcement of fees. Client application security, suggestions on the APIs
    • Data type overflow / wrap around, e.g. integer overflow.
    • Panics or not properly handled errors.
    • Concurrency, e.g. synchronization, state, races attacks.
    • Issues related to external libraries used (outdated software). Cryptographic primitives security
    • Incorrect implementation / usage / configuration of:
    • Elliptic curve (secp256k1, ECDSA,ECDH,ECIES).
    • Hash algorithms (Keccak-256,Blake2b).
    • Merkle Patricia trees.

    The size of the bounty
    6e46f8e5-9a8b-44b2-9ed6-6ccb64112d6c-image.png

    *The rewards will be paid out in VET based on the current price.

    How to submit bug reports

    Please submit your report through this FORM!

    The rules of VeChain CyberSecurity Program are as follows:

    • You must not disrupt any service, or compromise personal data
    • You must send a clear textual description of the work done, along with steps to reproduce the vulnerability
    • After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a reward
    • For similar issues, only the first submission is eligible for bounty reward
    • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity
    • It’s entirely at VeChain's discretion to decide whether a bug is significant enough to be eligible for reward and its severity

    Check out the Developer Information Center for technical documentation and Official Gitter Developer Channel to find the development resources. Please make sure you have read and agree to the rules of VeChain Bounty programs. For any question, please contact bounty@vechain.com.


Log in to reply