Open Sourcing Our Bounty Protocol

This article was first published on quantstamp - Medium
-----

We are open sourcing the code for our Bounty Protocol. A bounty protocol is a marketplace for developers to identify bugs in smart contracts that automation cannot detect. The Bounty Protocol has the potential to leverage software engineering talent from around the world to add an essential layer of infrastructure for blockchain security.

Why we need it

Over 250 million USD has been lost or stolen due to bugs in smart contract code. In order to scale the security of smart contract blockchains using automation, we created the Quantstamp Security Network. Although the Quantstamp Security Network detects vulnerabilities such as the re-entrancy bug that led to the DAO hack in 2016, there are certain bugs that currently only human auditors can detect.

The Bounty Protocol supplements our automation by allowing human developers from around the world to report more nuanced vulnerabilities and check for bugs against specifications.

The Quantstamp Bounty Protocol has 3 roles: Bounty Providers, Bug Hunters, and Judges.

How it works

A Bounty Provider is someone who submits their smart contract for review to the Bounty Protocol.

Any developer, which we will refer to as bug hunters, can then review the smart contract code and report vulnerabilities if they find them. In order for the bug hunter to receive their bounty, judges must vote to decide if the bug hunter did in fact report a valid vulnerability. The judges are selected using a QSP-based token curated registry (TCR).

If enough judges vote in favor of the bug hunter, the bug hunter receives their bounty.

Commit-Reveal Schemes

The Bounty Protocol uses two commit-reveal schemes in order to prevent judges and bug hunters from gaming the system.

Bug hunters submit reported vulnerabilities using a commit-reveal scheme in order to prevent front running. Without a commit-reveal process, a malicious actor can wait until an honest bug hunter submits ...

-----
To keep reading, please go to the original article at:
quantstamp - Medium

Comments (No)

Leave a Reply