Cosmos, an interoperable Blockchain ecosystem, has increased its incentives for its bug bounty program for the Cosmos Stargate software upgrade. The bug bounty will allow hackers, developers, and the community to trial and debug the upgrades and breaking changes to the Cosmos SDK, Tendermint Core, Gaia, and Inter Blockchain Communication codebases. The special bug bounty program launches today and will conclude on December 31, 2020.
Recent changes to the code include a transition from an in-house Serialization system to Protocol Buffers ( Protobuf), major new Tendermint Core features like state sync, and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These changes are a high priority for the security community to review. Bounty rewards are based on many factors including impact, risk, the likelihood of exploitation, and report quality. The CVSS Framework will be used to score all reports in a standardized and fairway. The rewards for bugs will be classified into these categories for payout:
Critical— $5,000 and up
High— $3,000 and up
Medium— $1,000 and up
Low— up to $200
Tess Rinearson, VP of Engineering at Interchain GmbH, said “We believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols. Our ongoing testing, and in particular this new program, exists to proactively reward people who discover bugs in our protocols and products. The release of the Stargate codebase reifies our commitment to the open-source community, with the goal of bringing Cosmos into a new era. For the first time ever, Cosmos blockchains will be able to connect with each other using a standardized protocol for inter-blockchain communication (IBC).”
While there is no maximum program reward, Cosmos core contributors will value creative or severe bugs and reward them accordingly. Examples of vulnerabilities that are of interest include memory allocation bugs, race conditions, timing attacks, information leaks, Authentication bypasses, incorrect block validation, denial of service vectors, lost write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. Please see here for a quick-start guide to getting Tendermint Core running so you can start hunting for bugs. To work with Cosmos-SDK, start here to learn more about getting it up and running in your testing environment.
The Cosmos Network is a secure and scalable blockchain ecosystem where thousands of Decentralized applications interoperate to create the foundation for a new token economy. Currently, over $6B in digital assets have been secured on Cosmos blockchains, over 8500+ Github stars have been created on Cosmos and Tendermint projects, and there are over 200 projects in the Cosmos Tendermint ecosystem. Please see here for a quick-start guide to getting Tendermint running so you can start hunting for bugs.