Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FVM Milestone 1 Bug Bounty Program #504

Open
eshon opened this issue Apr 7, 2022 · 2 comments
Open

FVM Milestone 1 Bug Bounty Program #504

eshon opened this issue Apr 7, 2022 · 2 comments

Comments

@eshon
Copy link
Collaborator

eshon commented Apr 7, 2022
edited
Loading

About

The Filecoin Virtual Machine is a new and exciting addition to the Filecoin protocol to support user-programmability and EVM-compatibility.

The FVM will be added to the live Filecoin network in several milestones.

Bug Bounties are now live for FVM Milestone 1 until the end of June.

Milestone 1 is scheduled for deployment to Filecoin mainnet on July 7, 2022 as part of Filecoin network upgrade v16 Skyr.

As part of Milestone 1, the Filecoin network will be transitioning to exclusive use of the FVM. All client implementations will switch from current legacy VMs to the new Wasm-based reference FVM. For M1 built-in actors in Rust (actors are smart contracts in Filecoin) will be supported.

User-programmable actors on the horizon for a later Milestone 2 release in Q3 2022 (estimated).

Rewards

Rewards for FVM bug bounties are the same as in the regular bug bounty program for the Filecoin project.

Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

Severity Points
Critical up to 100,000
High up to 50,000
Medium up to 15,000
Low up to 2,500
Note up to 500

Where currently 1 point = 1 USD (payable in USD, DAI or FIL).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

Scope

Ref FVM

  • Reference implementation of the Filecoin VM (specs).
  • Written in Rust and intended to be integrated via FFI into non-Rust Filecoin clients like Lotus.

Lotus - Ref FVM integration

  • Integration of the Ref FVM into Lotus via FFI. Written in Go.
  • (The PR listed is merely an entrypoint into the codebase, but the scope is not limited to it. Please review what's on master and other pending PRs.)

Lotus - Filecoin FFI

  • The FFI glue code.
  • Written in Go and Rust.
  • (As above, the PR linked is merely an entrypoint, but the scope is not limited to them.)

Builtin Actors

  • Written in Rust, WASM-compiled built-in actors (i.e., smart contracts) used by all Filecoin clients.
  • An actors spec and test vectors are available for reference.
  • An executable spec in Go is available at spec-actors — these actors power the live network pre-FVM.
  • (Note that auditing actors normally requires Filecoin domain expertise).

Exclusions to Scope including Known Issues are listed here on Github and will be regularly updated.

Submit a Report

To report vulnerabilities, please contact [email protected] to be eligible for bounties.

You can use the confidential reporting guidelines listed here.

Rules

Rules of the regular Filecoin Security Program apply, including what’s Out of Scope.

Bugs in Filecoin client implementations (Lotus, Venus, Forest, Fuhon) and the Filecoin Proofs libraries fall under the regular Filecoin Security Program scope and rewards.

Stay tuned for FVM bug bounties for Milestone 2 this Summer!
@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

This issue now has a funding of 4910.0 DAI (4910.0 USD @ $1.0/DAI) attached to it.

@gitcoinbot
Copy link

Issue Status: 1. Open 2. Started 3. Submitted 4. Done

Work for 4910.0 DAI (4910.0 USD @ $1.0/DAI) has been submitted by:

  1. @mopdo

@eshon please take a look at the submitted work:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eshon @gitcoinbot and others