Following hacking @ DEVCON1, Martin Swende is Nr. 1 on the leaderboard of the Ethereum Bounty Program. The bounty program is ongoing and the last bounty awarded amounted to 5 BTC. The program is open to anyone. With BTC Relay getting ready for launch on Ethereum and its importance for many DApps, we want to highlight its ongoing security audit by including it in the Ethereum Bounty Program.
BTC Relay is an Ethereum contract that implements Bitcoin SPV: https://en.bitcoin.it/wiki/Thin_Client_Security
The chief purpose of BTC Relay is to pass along any sufficiently confirmed Bitcoin transaction, to a specified Ethereum contract. If someone makes a Bitcoin payment, or any arbitrary transaction on the canonical Bitcoin blockchain, the relay should be able to send it to any specified Ethereum contract. More details in the spec.
The goal is to identify security issues such as accepting invalid blockheaders, false proofs, or invalid Bitcoin transactions. Similarly, if there is a valid Bitcoin transaction which BTC Relay does not fully relay, that would also be eligible for bounties.
Please note that since BTC Relay has a separate open-source grant for bounties, major bugs will be rewarded up to 1 BTC. Much higher rewards are possible (up to 5 BTC) in case of very severe vulnerabilities. Rewards are eligible for everyone except bounty program judges and developers of BTC Relay.
The scope is on the contract, the 5 “.se” files in the root directory of:
https://github.com/ethereum/btcrelay/tree/1466934855225b1e4a87031d299c1209ba12d503
(This is a commit on https://github.com/ethereum/btcrelay develop branch).
Not in scope is complete SPV client functionality (for example Bitcoin block timestamps are not checked to save gas costs). Better mechanisms for incentivization, gas cost and other algorithm optimization are not in scope. That said, any such feedback will still be gladly considered.
With BTC Relay now included in the Ethereum bounty program, most of the rules on http://bounty.ethdev.com apply. For examples, websites are not part of the bounty program and first come, first serve -- issues that have already been submitted by another user or are already known to the team are not eligible for bounty rewards. But, this also means that beyond monetary rewards, every bounty is also eligible for:
- Listing on the the Ethereum bounty leaderboard with points accumulating over the course of the program.
- Personal inscription in the Ethereum namereg once it's live.
- An exclusive, limited edition Ethereum Bountyhunter t-shirt
- what should be the first block in BTC Relay?
- for technical and practical reasons, the earliest block that can be stored in BTC Relay is block 2016 (first difficulty retarget). BTC Relay’s first block must be on a difficulty retarget, ie a block divisible by 2016.
- how likely are you to verify Bitcoin transactions from a while ago?
- how useful would it be if BTC Relay started with the block two difficulty retargets ago?
- currently, that would be block 389088
- there is a script that anyone can run to submit block headers to BTC Relay and what do you think its default fee, which verifiers of a Bitcoin transaction pay in ETH, should be?
- script’s current fee is 0
- it usually costs less than 0.01 ETH to submit a block header. should the default fee be 0.01 ETH?
- this default fee can be overridden to whatever submitter desires, although the incentive mechanism makes it so that setting the fee excessively is unlikely to be rewarding