OST Mainnet Bounty Challenge #1: Earn 400k+ OST Tokens For Reporting Security VulnerabilitiesWe want to ensure our partners can rely on OST blockchain technology to launch their own Branded Token and manage token economies. Therefore, the security of OST technology and all OST-powered crypto assets is a top priority. We are launching our first Mainnet bounty program with more than 400,000 OST available for eligible vulnerability reports.
This bounty challenges any participant to find a security vulnerability that allows him/her to transfer OST that is staked on Ethereum Mainnet to any unintended address. Additional bounties are available for eligible vulnerability submissions with a detailed step-by-step report on how to reproduce the challenge. We will evaluate each reported security issue and will award tokens based on the severity of each verified vulnerability.
We launched the first version of OST KIT on Mainnet — our developer toolkit for staking OST and minting Branded Tokens. You can view the economies
here.
We also created an economy
“Bounty Coin” on OST KIT Mainnet Alpha 1 and staked 300,000 OST to mint approximately one million Bounty Coin on a utility chain.
Awards• 300,000 OST — Awarded to the contestant who can manage to transfer tokens from the Simple Stake Contract address to an unintended wallet.
• 100,000 OST — Awarded for reporting the vulnerability (described above) with a detailed description and step-by-step process for reproducing the challenge.
• 10,000+ OST — Awarded to eligible bug and vulnerabilities submissions. There are no limits to the number of rewards and individuals can earn multiple rewards by submitting qualifying bugs and vulnerabilities.
Eligible Reports• A vulnerability that allows for the transfer of the staked OST on Ethereum Mainnet to an unintended address.
• A vulnerability that allows users to transfer Bounty Coins placed in the OST KIT Mainnet Alpha 1 account to an unintended address.
• A vulnerability which can be exploited to bring down or take control of the OST KIT user’s account without direct access to the machine. Extensive DDOS attacks excluded.
• A vulnerability that would result in any of the services (KIT, API, VIEW) being unusable for users. Extensive DDOS attacks excluded.
• A vulnerability that compromises the contract behavior and allows unintended transfer of tokens.
• A vulnerability that compromises private keys of addresses managed by OST KIT.
• Any vulnerability that compromises the data APIs of OST VIEW
• A vulnerability that allows users to obtain access to other user’s API Keys.
Bounty ScopeWe would like to learn about security bugs and vulnerabilities in the following areas:
• OpenST Protocol 0.9.2 Smart Contracts and node.js packages including
Mosaic Contracts and Tree Release AM1,
OpenST AM1,
OpenST Payments, and
OST Price Oracle.
• OST KIT including
Mainnet KIT• OST API including
Mainnet API v1.1 and
Mainnet Dev• OST VIEW including
Mainnet View and
OpenST ExplorerOut of Bounty ScopeAny domain or property of OST not listed in the targets section is out of scope including but not limited to OST websites (ost.com, view.ost.com, kit.ost.com) and OST KIT UI issues.
PrerequisitesYou can find the Utility Chain Syncing script here.
Here is a list of the value chain contract addresses:
• Simple Stake for OST Prime: 0x5caaaee865f994bef3421507a278b42c5e26643a
• Simple Stake for Bounty Coin: 0x5fBfEDE90ff3799F466A1997bA68B4fa18e82956
• OpenSTValue: 0x62EDb11263cD775D549a9d9E38980014DBbFdeDD
• Value Core Contract: 0xf8530666572C3CA966247Cc39C4f60bE37A5c168
• Value Registrar: 0xD184c79481774A4c2Ea2DAD4d14F9C6396e17C65
• Simple Token Contract Address: 0x2C4e8f2D746113d0696cE89B35F0d8bF88E0AEcA
Utility Chain Contract Addresses:
• OpenSTUtility Contract: 0x37D014adb3D52e132877F6Feca00b81e95544C8C
• Utility Registrar Contract Address: 0xA46a92067322d8a060eeB13B2c184639D3C87816
• Bounty Coin Branded Token Address: 0xbe5b185bb0fc7493a168da19f576e482b6444c19
• Price Oracle Contract Address: 0x1e6e9EF185aD2f1dcAFA263f26DecA1FAC64603c
• OST Prime Contract Address: 0x7Ae71fE9e16A0AEEA63933cf4EB88f6c24A9723B
Bounty Rules• No spam or distributed denial of service (DDOS) attacks.
• No violations of the privacy of other users or destruction of data.
• No disclosing of vulnerabilities to the public. Participants must report vulnerabilities to OST only, as described in this post. Participants must allow for a reasonable --response time from OST.
• Vulnerabilities which have already been submitted or are already known to OST are not eligible. Once the OST team has confirmed the presence of the vulnerability and is prepared to publish information to help mitigate the risk, we will list the vulnerability submissions here.
• Any employees of OST is not eligible to participate.
• Any party (including but not limited to an individual, employee, consultant or company) working directly or indirectly on behalf of/for OST is not eligible to participate in the OST Mainnet Bounty Challenge.
• Anyone engaged to review or audit OST code in exchange for remuneration is not eligible to participate.
• OST may cancel this program at any point in time at its sole discretion.
• Awards are at the discretion of the OST team.
• Each bug or vulnerability will be considered for an award only once.
• Rewards are not available to users from countries subject to OFAC sanctions.
SubmissionSubmit any eligible bug or vulnerability via
bounty@ost.com. Contact
support@ost.com with any questions. Please include the following in your submission:
• Summary: one or two line summary of the bug or vulnerability.
• Description: Describe the scenario. What were you trying to do? What is the possible impact? OST will be awarded to clear, well-written submissions that can help us quickly reproduce the vulnerability.
• Product: OST KIT / OST API / OST VIEW / OpenST Protocol 0.9.2
• Affected Files: If you found the bug or vulnerability in the open source code, please share the affected files.
• Detailed steps to reproduce: Please include snippets of logs, test code, scripts and detailed instructions on how to reproduce the vulnerability. How would we reproduce the bug or vulnerability faster?
• Fix: Please suggest a solution for the vulnerability.
The OST Mainnet Bounty Challenge will end on
Sunday September 30 2018 at 1pm UTC. Bounties will be issued in October 2018.
About OST
OST blockchain infrastructure empowers new economies. OST is a public blockchain platform designed for the needs of businesses with millions of users. Launch your own Branded Tokens with OST technology and turn your business into a dynamic ecosystem. OST is built on the OpenST Protocol, a framework for building highly scalable blockchain token economies. OST has offices in Berlin, New York, Hong Kong, and Pune. For more information, please visit:
https://ost.com
