Basket Protocol bug bounty program with rewards up to $10k

Security is of paramount importance in the blockchain world. Millions of dollars of value residing in open-source, immutable smart contracts accessible to anyone in the world can be a recipe for disaster. Past smart contract vulnerabilities have led to events such as the DAO $50 million hack and the Parity $160 million loss.

At CoinAlpha, we take seriously the responsibility of securing our contracts and protecting the users of our protocols. While we have implemented rigorous testing and completed a security audit by Hosho for our protocol, we recognize that issues may still arise, so we are announcing a bug bounty program to leverage and incentive the efforts of our community.

Basket Protocol

CoinAlpha, Inc. has developed and open-sourced its Basket Protocol which enables decentralized, non-custodial asset management. We have deployed a version of this protocol onto the Ropsten Ethereum test network, on top of which we have created the decentralized application CryptoBaskets.

Bug Bounty Program

Despite all the precautions and efforts we make to secure our protocol, we recognize that security is always an ongoing risk.

While we continually monitor the latest developments relating to security and industry best practices, we hope to work with the community to help make the Ethereum ecosystem safer by collaborating on security and coding best practices. To that end, we are launching the Basket Protocol Bug Bounty program.

Scope of the Bug Bounty

CoinAlpha’s Basket Protocol @ https://github.com/coinalpha/basket-protocol, all contracts named Basket_.sol.

Bounty Evaluation

CoinAlpha will use OWASP’s Impact and Likelihood risk framework to help in evaluating bounties.

Bounty Rewards

Accepted bounties are awarded based on the following guidelines:

Critical: up to $10k
High: up to $5k
Medium: up to $2.5k
Low: up to $1k

All bounties and awards will be subject to the sole discretion of the CoinAlpha team. The quality and completeness of your report will be factored into determining the reward amount.

Bounty Rules and Guidelines

Bounties are awarded on a first-report basis.
Take responsibility and act with extreme care and caution.
Do not use vulnerabilities you discover for purposes other than your own investigation.
Do not publicize or disclose to any third parties any details of vulnerabilities until after confirmation and approval from the CoinAlpha team.
Do not use social engineering to gain access to a system.
Non-security issues are not eligible.
Evaluations of eligibility, severity, and all terms related to a bounty and award are at the sole and final discretion of the CoinAlpha team.

Submission Guidelines

Submit reports to: [email protected].

Please include detailed descriptions of the vulnerability or security issue, steps to reproduction, supporting artifacts, and suggested fixes (if any).
Your privacy: we will only use your personal details to take action based on your report. We will not share your personal details with others without your express permission.

Evaluation Procedure

The CoinAlpha team will investigate your report and will contact you to discuss the weakness, how you found it, and any follow-up action.

Payments

July 30, 2018: First reward paid! A reader and blockchain developer looked into our protocol in detail and provided us with some code optimizations. While the multiple points raised were not security issues, we appreciate the detailed review and comments.