Skip to content

Latest commit

 

History

History
69 lines (44 loc) · 4.33 KB

bug-bounty.md

File metadata and controls

69 lines (44 loc) · 4.33 KB

If you have questions please join the Axie Discord and post in the #Ronin channel.

Ronin testnet endpoints: https://ronin-testnet.skymavis.com/rpc or via websocket at: wss://ronin-testnet.skymavis.com/ws with chainId: 2021

Ronin Key Facts

  • Ronin is an Ethereum sidechain built specifically for Axie Infinity. Each Axie is an ERC721 token represented as a unique digital creature that can be used in a variety of separate games. So far, there are Axie battles and a kingdom-building game centered around ownership of land plots. Land and items (artifacts) are also ERC 721 tokens. Small Love Potions (SLP) and Axie Infinity Shards (AXS) are ERC 20 tokens native to the Axie ecosystem.
  • Ronin is currently a Byzantine Fault Tolerant proof of authority(POA) network operated by validators. Validators are appointed by Sky Mavis, the core developers of Axie Infinity.
  • Blocks require approval from 2/3 of Validators in order to be approved. Over time, Ronin will be upgraded to incorporate proof of stake elements as well as new layer 2 solutions such as Zk sync and Optimistic rollups.
  • Validators are responsible for authoring and validating blocks, updating price oracles, and approving deposits and transfers of assets (ETH, ERC20, and ERC721) to and from Ronin. Validators also control the addition and removal of other validators.
  • Ronin is developed based on Ethereum codebase so you can use web3 client to connect to Ronin. At the moment all transactions on Ronin is free of charge. (You can set the gas price in the transaction to be 0).

Bug Bounty Program

The bug bounty program will commence at 9:00 AM EST on December 23rd, 2020, and run until Mainnet launch. The scope of this program is to double-check functionality related to deposits, withdrawals, and validator addition/removal. All code related to this bounty program is publicly available within this repo. We are specifically looking for issues related to:

  • Theft of user assets
  • Block validation
  • Issues around validating deposits and withdrawals
  • Issues around deployment
  • Loss of private keys
  • Admin control issues
  • Other process breakdowns

Rules

  • Rewards for bugs are issued first come first serve. Issues that have already been flagged are not eligible for rewards.
  • This program only covers code from this Github repo.
  • Description of vulnerabilities must be submitted as issues to this repo.
  • Rewards will be distributed at the end of the bug bounty program.
  • We will keep you updated on the status of your submitted issue.

Submission Guidelines

Use this template when submitting issues:

Description: Use clear, concise phrases when describing the issue and it's potential impact

Impact: What will happen if the issue is left unaddressed?

Reproduction: How can we reproduce the vulnerability?

Fix: How can the issue be fixed?

Additional Comments: Use this space for additional information.

ETH Address: Needed for reward distribution.

Please make sure to include relevant screenshots and code snippets.

Rewards

Rewards will be based on severity which is derived from impact and likelihood.

  • Critical bugs: Issues that can result in a hack, theft of user funds, and chain collapse. Up to 3000 AXS
  • Major bugs: Can cause significant problems when using the chain such as issues with validating user deposits and withdrawals or loss of private keys. Up to 1500 AXS
  • Minor bugs: A small issue, perhaps with wallets, accounts, or deployment. Not chain breaking but still great to resolve early. Up to 300 AXS
  • Useful feedback: Comments that while not specifying a bug, can help improve confidence and integrity of the system. Up to 75 AXS

We have capped the amount of AXS reserved for this program at 15,000 AXS.

Please note that AXS is not the native token for Ronin. All AXS will be taken from Sky Mavis owned AXS reserves.

Important Legal Information:

The bug bounty program is an experimental rewards program for our community developers to help us improve Ronin. Rewards are at the sole discretion of the Sky Mavis team. All rewards are subject to applicable law and thus applicable taxes. Don't target our physical security measures, or attempt to Sybil attack or (DDOS) attack the program. Your testing must not violate any law or compromise any data that is not yours.

Copyright (c) 2020 Sky Mavis PTE. LTD