The Red Eyes release is an alpha deployment of the Raiden Network focused on testing on the Ethereum mainnet. We undertook several risk mitigation measures to limit the potential damage caused by bugs or misuse of the software and to ensure a responsible testing environment. In addition to the implemented safety measures, we are hosting a bug bounty for the Raiden smart contract code.
Within the scope are only the Raiden smart contracts:
Bugs in the client:
Usually, non-critical bugs in the client can be reported using our issue tracker. While the client is not directly in scope of the Bug Bounty, we encourage reporting any critical vulnerabilities that you find in the client via the bug bounty submission process (see below). Critical bugs found in the client may also be considered for rewards. The level of severity of each bug report will be evaluated by us on a case by case basis.
Not in scope / not eligible are:
The Raiden client python code in the repository.
Known issues that are already in our issue tracker or have been reported to us privately via the bug bounty program.
Vulnerabilities which affect multiple smart contract systems and are not specific to the Raiden implementation, e.g. vulnerabilities eligible for the Ethereum bug bounty.
The bug bounty will last until we feel that Raiden has been running smoothly for a sufficient amount of time. We are going to inform the community when we end the bounty. We reserve the right to end the bug bounty at any time.
We will reward bounties only for 2 types of vulnerabilities reported:
Minor vulnerabilities: A minor vulnerability consists of any flaw that can cause the Raiden contracts to behave in an unexpected harmful way, but don’t put any of the tokens deposited at risk. Such vulnerabilities will be awarded with up to 1,000$ equivalent of RDN.
Critical vulnerabilities: A critical vulnerability consists of any flaw that can cause the Raiden contracts to break in unexpected ways or of the protocol to be taken advantage of in a way that user tokens can be stolen or user tokens can end up getting locked up. Such vulnerabilities will be awarded with up to 10,000$ equivalent of RDN. The amount rewarded is up to our discretion depending on the severity of the issue found and also on the amount of tokens users would lose if exposed to the issue.
For example a bigger award would be given for issues that would affect the entire token network and allow for draining of all the tokens out of it or out of a channel as opposed to a vulnerability that can only happen once with a very specific balance proof and only cause an one-time small amount loss of tokens to the user.
To calculate the bounty reward in RDN, the exchange rates are taken at the end of the day on which you have submitted the bug. We reserve the right to alter the exchange rate in case of extreme/abnormal trading conditions.
For the intended behaviour of the Raiden client and protocol please check out the following links:
Please send your submissions via email to [email protected]. Your email should contain:
An as detailed description of the bug as possible and any supporting documents (source examples) that are needed to reproduce the bug.
A bug report should preferably include:
— Title of the vulnerability
— Description of vulnerability
— Proof-of-concept / Reproduction manual
— Criticality assessment
— Tools used
— Attachments (screenshots or video)
— Suggested fixes / solutions
You can read more about how to write a well structured vulnerability report here
A single ETH address to which the potential reward should be sent if your vulnerability submission is accepted. Additionally please let us know if you would like to be named in the post-bug bounty report and “bugs found”-board on this website and if yes under what name.
It should be noted that in order to comply with local AML regulations, we may be required to obtain some additional information from you before being able to pay out a bounty reward.
Please keep in mind that any bugs or suggestions for improvements to the contract other than the ones causing harmful behaviour or loss or theft of tokens as outlined above are not eligible for the bug bounty.
All issues submitted should assume that all the requirements for safe usage of Raiden as outlined here are met. There is a whole category of known problems which would appear if the Ethereum blockchain would not operate normally, for example, if it is under congestion/DDOS, or if the systems of the participants are under DDOS. These problems are not eligible for the bug bounty.
Reports will be credited on a first come , first serve basis. Issues already known to us or issues already submitted by another user will not be eligible for rewards.
Employees, contractors or officers of brainbot labs Est. and its affiliates are not eligible for the bug bounty.
We consider a number of variables in determining rewards. Determinations of eligibility, vulnerability level recognition, and all terms related to an award are at the sole and final discretion of brainbot labs Est.
Please don’t make the details of any vulnerability you find public until we have confirmed that it is ok to do so.
Do not try to actively exploit any security issue you detect.
To chat with us about development specific questions visit our gitter channel.