Update Sep 22 2017 – Remove WhitelistedMultisig from this bug bounty as it is not being used
There was a vulnerability that allowed hackers to steal USD 30 million from the Parity multisig wallets last week.
I work with clients to secure their crowdsale and other contracts, and ultimately the funds end up being secured by a multisig.
So I am now offering a 20 ETH bounty (~ AUD 5,120 currently) on the ConsenSys MultiSig Wallet Audit (I’m 1/2 way through the audit).
If you want to support the audit of this kind of public goods, any donations to 0x1ba18f569a3cbd97725153be727eae094a7b42f3 from now until September 2017 will top up the bug bounty awards to encourage more scrutiny on these contracts.
Another 2 parties have stated they would top up this bounty:
- I was told that Satoshi Fund will also pay a bug bounty award on these smart contracts
- Santiment have said they will add 20 ETH to the bounty
- The 0x Protocol group have said they will add 25 ETH to the bounty
From The Gnosis MultiSig Wallet and our Commitment to Security, another USD 5,000 bug bounty is on offer on the ConsenSys multisig.
Rules And Rewards
- Bugs that have already been submitted by another user or are already known to the BokkyPooBah are not eligible for bounty rewards.
- Public disclosure of a vulnerability makes it ineligible for a bounty.
- You can deploy the contracts on your private chain for bug hunting. Please respect the Ethereum Mainnet and Testnet and refrain from attacking them.
- The value of rewards paid out will depend on the severity of the bugs found. Determinations of this amount is at the sole and final discretion of the BokkyPooBah but the BokkyPooBah will be fair.
The BokkyPooBah Hall Of Fame
If you do find any bugs in the above projects, you will enter The BokkyPooBah Hall of Fame.
See also Bug Bounty On The ConsenSys And Whitelisted Multisigs.