Thus far, Alarm has been developed in a vacuum. I am the sole developer and I've not had the extra eyes and brains of other developers to help with architecture and implementation. Along the way I've found and fixed multiple avenues for exploiting the service. One notable early one was realizing that I needed to lock the funds for a scheduler's account during execution. Otherwise it would be a simple thing for the called contract to empty their account as part of the function call, leaving no funds left to pay the executor of the call. A more recent example sparked the implementation of the Caller Pool, after realizing that the profitability of executing calls dropped below zero as soon as there was more than one caller competing to execute calls.
Today I'd like to publicly announce a bug bounty for reporting security related issues related to the Alarm service.
- The bounty amount will range from 10-100 ether depending on severity.
- Only issues with the source code of the most recent publicly deployed contract is eligible for the bounty.
- Only the first person to report an issue will be paid.
- Only issues that are privately disclosed in a manner that allows the issue to be fixed prior to public disclosure are eligible.
I'm primarily looking for issues related to the following topics, though I will take any submission into consideration.
- Ability for scheduler to forgo paying for execution of a function call.
- Stealing funds from another address's account.
- Stealing bond funds from a address's account.
- As a call executor, ability to guarantee getting the bond bonus for a call.
- Ability to alter the ordering of the designated callers during the next 40 blocks.
- Ability to schedule a call that keeps the executor of the call from getting paid.
Please report bugs to firstname.lastname@example.org or to pipermerriam on gitter chat. Happy hunting.