The Raiden Alderaan release and the Raiden Light Client Ashvini release are beta deployments of the Raiden Network focused on testing a full suite version on the Ethereum mainnet. The Raiden team has undertaken several risk mitigation measures to limit the potential damage caused by bugs or misuse of the software and to ensure a responsible testing environment. In addition to the implemented safety measures, a bug bounty is run for the Raiden Smart Contracts, as well as the Raiden Clients and the Raiden Services executables (see detailed specifications below). The bug bounty is hosted by brainbot labs Est. in order to make sure that the software lives up to the highest standards possible and to make sure that the risk of users losing funds is at a minimum. For the bug bounty, a pool worth $200,000 in RDN tokens is available to be rewarded.
All direct Raiden system components (Raiden Smart Contracts, Raiden Clients, Pathfinding and Monitoring Service) are in scope. As the Raiden Transport Layer (Matrix Servers) is a 3rd party component it is excluded from the bounty. The scope of the bounty is limited to critical vulnerabilities as defined below.
The following components of the Raiden Network are in the scope
Python Client executable - only the most recent executable released by the Raiden team starting with 1.0.0 is in scope.
Light Client SDK - only the most recent release of the Raiden Light Client SDK starting with 1.0.0 is in scope.
Pathfinding service executable - only the most recent executable released by the Raiden team starting with v0.10.0 is in scope.
Monitoring service executable - only the most recent executable released by the Raiden team starting with v0.10.0 is in scope.
The specific versions might be subject to change in case a new version of either of above is released as a result of a bug being fixed.
Only critical vulnerabilities as defined below are in the scope of the bug bounty/eligible for rewards:
Tier 1 vulnerability: A Tier 1 vulnerability is defined as any flaw in the protocol that can lead to the loss of user funds. This either being through funds being locked unrecoverably or funds being stolen by third parties.
Tier 2 vulnerability: A Tier 2 vulnerability is defined as any flaw in the protocol that can lead to user funds being unrecoverable through the Raiden API and hence needing specific manual smart contract interactions to recover funds.
As mentioned in the definitions of Tier 1 and Tier 2 vulnerabilities, only vulnerabilities related to WETH and DAI will be considered as relevant for the bug bounty.
brainbot labs must be able to reproduce the vulnerability
Reported vulnerability should be on the most recent Alderaan Release tag starting with release 1.0.0.
Reported vulnerability should be on the most recent Ashvini Release tag starting with release 1.0.0.
Explicitly not in scope / not eligible are:
Any code that differs from the code released by brainbot labs Est. as part of the Alderaan and/or Ashvini release. This includes the Raiden client python source code, the Raiden Light Client SDK source code, the pathfinding source code, the monitoring service source code and all the corresponding smart contracts.
Known issues that are already in the Raiden issue tracker or have already been reported via the bug bounty program.
Vulnerabilities which affect multiple smart contract systems and are not specific to the Raiden implementation, e.g. vulnerabilities eligible for the Ethereum bug bounty.
Vulnerabilities that appear only after extreme network conditions (deep reorgs, cannot record transactions for more than 2 hours).
The bug bounty will run until either the entire pool worth $200,000 has been depleted or reported bugs or other critical events have led to a deprecation of the deployed version of Raiden for which the bug bounty is valid.
The community will be informed when the bug bounty ends. Communications addressing found and reported bugs will also be published once the relevant fixes are in place and potential security risks have been mitigated.
brainbot labs Est. reserves the right to end the bug bounty at any time.
As stated above, there is a pool worth a total of $200,000 in RDN tokens to be paid out as rewards for either of the two types of vulnerabilities listed:
Tier 1 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $20,000
Tier 2 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $5,000.
To calculate the bounty reward in RDN, the exchange rates are taken on the day on which the reward is paid out. brainbot labs Est. reserves the right to alter the exchange rate in case of extreme/abnormal trading conditions.
For the intended behaviour of the Raiden client and protocol please check out the following links:
Please send your submissions via email to email@example.com. Your email should contain:
A detailed description of the bug and any supporting documents (source examples) that are needed to reproduce the bug
Title of the vulnerability
Description of vulnerability
Proof-of-concept / Reproduction manual
Tools and versions use
Attachments (screenshots or video)
Suggested fixes / solutions
Email address (in order to contact you in case your vulnerability submission is accepted)
A single ETH address to which the potential reward should be sent if the vulnerability submission is accepted.
Additionally, please state whether you would like to be named in the post-bug bounty report and “bugs found”-board on the website and if yes under what name.
You can read more about how to write a well structured vulnerability report here
Payouts of bug bounty rewards
In order to comply with local AML regulations, we are required to obtain some information about you prior to paying out any reward.
Please keep in mind that any bugs or suggestions for improvements to the executables other than the ones causing harmful behaviour or loss or theft of tokens as outlined above are not eligible for the bug bounty.
All issues submitted should assume that all the requirements for safe usage of Raiden as outlined here are met. There is a whole category of known problems which would appear if the Ethereum blockchain would not operate normally, for example, if it is under congestion/DDOS, or if the systems of the participants are under DDOS. These problems are not eligible for the bug bounty.
Reports will not be credited on a first come, first serve basis. We prefer reproducible bugs before first submissions.
Employees, contractors or officers of brainbot labs Est. and its affiliates are not eligible for the bug bounty.
We consider a number of variables in determining rewards. Determinations of eligibility, vulnerability level recognition, and all terms related to an award are at the sole and final discretion of brainbot labs Est.
Please don’t make the details of any vulnerability you find public until we have confirmed that it is all right to do so.
Do not try to actively exploit any security issue you detect.
To chat with us about development specific questions visit our gitter channel.