This is probably obvious now in retrospect, but I suggest we put out a bounty for disclosing inflation bugs through Grin’s security disclosure process.
For full disclosure, I don’t have an inflation bug ready to report. You have nothing but my word on this. This is merely due to the recent events which should encourage such bounties. However, I might try to find inflation and pick the prize.
Objective:
Find an inflation bug in Grin node (either grin++ or rust node)
Describe steps needed to pull off the inflation bug
If two people find the bug independently, the person finding it first claims the reward.
My suggestion is we start off with $200k reward and possibly increase it over time. The reasoning behind this is that if there are obvious inflation bugs, we’ll spot them early and if needed do a relaunch (god please no) with more funds available. Let me know if this makes sense to you.
Great idea!
In addition to this, I think we should open bounties for writing solid sets of both rust and C++ test cases for the grin node and the Grin++ node. This is the same approach Bitcoin uses. Bitcoin has a very extensive set of test cases used to detect bugs and exploits before releasing new versions of the software. Grin should do the same for both its node implementations.
Indeed big kudos. I think this for once and for all clarifies the discussion why and if we need two full node implementations. It is a great asset that Grin has two full node implementations and we should provide funding for both. Personally I would love to run a double node with wallet that has grin rust and grin++ node running together in the back and compares their results before accepting any payments. I think synergy of the nodes, their interface and standardization of their API’s is the way to go.
The only problem with this is that a certain amount of the fund will be permanently locked for the reward. That’s not a problem if we keep getting coinbase donations, but I wouldn’t count on that.
Why do we need a pre-existing bounty for bugs, anyway? I think all we need to ensure is that we keep a certain amount of money in the fund as a buffer for eventual bug rewards and making sure it is common knowledge rather than having pre-specified bounties.
Yes indeed, it would need to be locked. I think $200k would not hurt too much. We could even express it in terms of Bitcoins so that the reward scales with the Bitcoin price. In any case, we could remove the bounty after 5-10 years if we decided to.
Inflation bug is an edge case. We want to find these bugs as early as we can and we can do this by encouraging people to find them if they exist. The bounty reward is the incentive to dive into the code, find the flaws, report them and potentially save the project. The sooner we catch these, the better off we will be.
I don’t think it’s much of an incentive, though. If the bounty didn’t exist and I had found the bug I know I can just make a Github/Forum post and ask for $400k to reveal the bug. Even if there is a bounty for $200k I can still demand $400k. I’m not really sure a bounty for a critical bug like that actually does anything.
So you’d ask for a bounty which is exactly what I’m describing here. There’s no need to ask for a bounty, it will be there in the open and it’s much more effective if it is done prior to you finding the bug.
Also if you publicly said you’ve found an inflation bug (and you did), then others would likely find the bug relatively soon because they would start looking - MW has relatively simple consensus. The bounty serves two purposes:
It makes people dive into the code in hopes of finding a treasury
If a flaw is found, it incentivizes reporting it and claiming the reward (legal way) as opposed to risking exploiting the bug and possibly getting away with much less if the bug gets caught - also, this path can have legal consequences if people leave traces.
I see it as a win-win situation. If the bounty is not claimed, then the trust in the chain increases over time. This is basically a “free never-ending audit” in case we don’t have a bug and a relatively cheap exposure of a fatal exploit if we do.
I think we should distinguish inflation bugs according to the impact they have on the survivability of the chain.
We can reserve the largest possible bounty for a bug where a fix is the most valuable for chain survival. That is:
The bug allows for arbitrary inflation.
Neither MW/Grin nor Grin++ would catch it, no matter how long after the exploit. I.e. the inflation is undetectable.
Knowing the bug, it’s possible to verify that it hasn’t been exploited yet.
(There may be other worst-case characteristics I’m overlooking).
For such a worst case bug, we might want to offer as much as a 1M$ bounty to incentivize responsible disclosure.
If the exploit has a limited window of undetectability, or existence of an exploit cannot be verified, then the bounty should be for a smaller amount.
Regarding fund reservations: Any bounty payout will be capped to whatever funds are available at the time of disclosure. Due to bitcoin price volatility, we cannot guarantee any fixed dollar amount. Still, I think we should express the bounty in dollars, rather than in bitcoins.
This makes a lot of sense. There’s also a bonus with higher bounty which is that it makes for a stronger code audit due to more people trying to break it.
Bump. Let’s get this thing going so people have motivation to start diving deep into our potential vulnerabilities. Any other ideas on how to improve the bug bounty?
From the discussion above, I’m proposing the following:
Inflation bug bounty depending on the inflation type.
Unrecoverable inflation bug
The bug allows for arbitrary inflation
Neither MW/Grin nor Grin++ would catch it, no matter how long after the exploit. I.e. the inflation is undetectable.
Knowing the bug, it’s impossible to verify that it hasn’t been exploited yet. This leaves us with no choice but to relaunch Grin.
Bounty prize: $300k
Recoverable inflation bug
The bug allows for arbitrary inflation
Neither MW/Grin nor Grin++ would catch it, no matter how long after the exploit. I.e. the inflation is undetectable.
Knowing the bug, it’s possible to verify that it hasn’t been exploited yet.
Bounty prize: $500k
Implementation-specific inflation bug
The exploit is possible on exactly one of the node implementations (Rust or Grin++) and would get caught by the other implementation.
Bounty prize - delayed detection on vulnerable node: $70k - a case similar to the Bulletproof cache flaw in Rust Grin where the Rust node would detect the inflation after 1 week. Bounty prize - no detection on vulnerable node: $100k
In order to claim the bounty, one needs to follow Responsible Disclosure Standard and the exploit MUST NOT be tested on the mainnet or floonet (we want to keep these two intact).
Steps:
Find an inflation bug in Grin node (either Grin++ or Rust node)
Categorize the inflation bug, wait for the classification approval from the Security team and claim the reward once this has been fixed. The claim only happens after the patch to avoid speculation around how to exploit the chain based on the movements of Grin fund.
If two people find the bug independently, the person finding it first claims the reward.
My suggestion is that we start off with the rewards defined above and increase these values by 10-20% per year - assuming we have the funds available, if we don’t we simply either keep the bounty intact or remove it.
Let me know if you have any ideas on how to describe this better.