Raiden Bug Bounty

The Raiden Alderaan release is a beta deployment of the Raiden Network focused on testing a full suite version on the Ethereum mainnet. The Raiden team has undertaken several risk mitigation measures to limit the potential damage caused by bugs or misuse of the software and to ensure a responsible testing environment. In addition to the implemented safety measures, a bug bounty is run for the Raiden Smart Contracts, as well as the Raiden Client and the Raiden Services executables (see detailed specifications below). The bug bounty is hosted by brainbot labs Est. in order to make sure that the software lives up to the highest standards possible and to make sure that the risk of users losing funds is at a minimum. For the bug bounty, a pool worth $200,000 in RDN tokens is available to be rewarded.

Bugs found

NAME DATE TOPIC VALID OUTCOME

Scope of the Bounty

All direct Raiden system components (Raiden Smart Contracts, Raiden Client, Pathfinding and Monitoring Service) are in scope. As the Raiden Transport Layer (Matrix Servers) is a 3rd party component it is excluded from the bounty. The scope of the bounty is limited to critical vulnerabilities as defined below.

Raiden system components in scope

The following components of the Raiden Network are in the scope

The specific versions might be subject to change in case a new version of either of above is released as a result of a bug being fixed.


Vulnerabilities eligible for rewards within the bug bounty

Only critical vulnerabilities as defined below are in the scope of the bug bounty/eligible for rewards:


Vulnerability Definitions

  • Tier 1 vulnerability: A Tier 1 vulnerability is defined as any flaw in the protocol that can lead to the loss of user funds. This either being through funds being locked unrecoverably or funds being stolen by third parties.

  • Tier 2 vulnerability: A Tier 2 vulnerability is defined as any flaw in the protocol that can lead to user funds being unrecoverable through the Raiden API and hence needing specific manual smart contract interactions to recover funds.

Relevant Tokens

  • As mentioned in the definitions of Tier 1 and Tier 2 vulnerabilities, only vulnerabilities related to WETH and DAI will be considered as relevant for the bug bounty.

Additional Requirements

  • brainbot labs must be able to reproduce the vulnerability

  • Reported vulnerability should be on the most recent Alderaan Release tag starting with release 1.0.0.

Explicitly not in scope / not eligible are:

  • Any code that differs from the code released by brainbot labs Est. as part of the Alderaan release. This includes the Raiden client python source code, the pathfinding source code, the monitoring service source code and all the corresponding smart contracts.

  • Known issues that are already in the Raiden issue tracker or have already been reported via the bug bounty program.

  • Vulnerabilities which affect multiple smart contract systems and are not specific to the Raiden implementation, e.g. vulnerabilities eligible for the Ethereum bug bounty.

  • Vulnerabilities that appear only after extreme network conditions (deep reorgs, cannot record transactions for more than 2 hours).

Duration of the Bounty

The bug bounty will run until either the entire pool worth $200,000 has been depleted or reported bugs or other critical events have led to a deprecation of the deployed version of Raiden for which the bug bounty is valid.


The community will be informed when the bug bounty ends. Communications addressing found and reported bugs will also be published once the relevant fixes are in place and potential security risks have been mitigated.


brainbot labs Est. reserves the right to end the bug bounty at any time.

Bounty Rewards

As stated above, there is a pool worth a total of $200,000 in RDN tokens to be paid out as rewards for either of the two types of vulnerabilities listed:

  • Tier 1 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $20,000

  • Tier 2 vulnerabilities: Bugs reported in this tier are eligible for rewards worth up to $5,000.

To calculate the bounty reward in RDN, the exchange rates are taken on the day on which the reward is paid out. brainbot labs Est. reserves the right to alter the exchange rate in case of extreme/abnormal trading conditions.

Intended Behaviour

For the intended behaviour of the Raiden client and protocol please check out the following links:

Raiden Protocol Specification

Raiden Contracts Specification

Raiden Services Contracts Specification

Raiden User Documentation

Submissions

Please send your submissions via email to [email protected]. Your email should contain:

  • A detailed description of the bug and any supporting documents (source examples) that are needed to reproduce the bug

  • Title of the vulnerability

  • Description of vulnerability

  • Proof-of-concept / Reproduction manual

  • Criticality assessment

  • Tools and versions use

  • Attachments (screenshots or video)

  • Suggested fixes / solutions

  • Email address (in order to contact you in case your vulnerability submission is accepted)

  • A single ETH address to which the potential reward should be sent if the vulnerability submission is accepted.

Additionally, please state whether you would like to be named in the post-bug bounty report and “bugs found”-board on the website and if yes under what name.


You can read more about how to write a well structured vulnerability report here

Payouts of bug bounty rewards

In order to comply with local AML regulations, we are required to obtain some information about you prior to paying out any reward.

Submission Rules

  • Please keep in mind that any bugs or suggestions for improvements to the executables other than the ones causing harmful behaviour or loss or theft of tokens as outlined above are not eligible for the bug bounty.

  • All issues submitted should assume that all the requirements for safe usage of Raiden as outlined here are met. There is a whole category of known problems which would appear if the Ethereum blockchain would not operate normally, for example, if it is under congestion/DDOS, or if the systems of the participants are under DDOS. These problems are not eligible for the bug bounty.

  • Reports will not be credited on a first come, first serve basis. We prefer reproducible bugs before first submissions.

  • Employees, contractors or officers of brainbot labs Est. and its affiliates are not eligible for the bug bounty.

  • We consider a number of variables in determining rewards. Determinations of eligibility, vulnerability level recognition, and all terms related to an award are at the sole and final discretion of brainbot labs Est.

Responsible Disclosure

  • Please don’t make the details of any vulnerability you find public until we have confirmed that it is all right to do so.

  • Do not try to actively exploit any security issue you detect.


To chat with us about development specific questions visit our gitter channel.