Aelf Code Audit Bounty Program

Detailed information 

About

On October 16, aelf enterprise 1.0.0 RC 1 was officially released. This means that the current aelf Public Testnet has achieved all the functions required for the Mainnet launch and has been running stably. aelf Enterprise 1.0.0 RC 1 will be the version for code audit. After code audit is completed and the vulnerabilities are fixed, the Mainnet will be gradually launched using this version.

According to the Bounty Program, the aelf team offers generous rewards for the participants who submit the code audit reports of the aelf Public Testnet. Participants will have a chance to win ELF tokens worth up to USD $ 30,000. And there are more rewards waiting for you. In addition, the aelf team has specially set up the “Million ELF Audit Risk Fund” for audit risk assessment and control of the aelf Mainnet in the future.

Requirements

• Only professional security audit teams can take part in the program, and should follow the registration process strictly.
• Participants are required to develop a detailed audit strategy with reference to the aelf technical team’s audit objectives. They need to conduct a full security test on the project in a way as close to an actual attack as possible. They also need to submit the complete and standard audit reports as required.
• The main scope of security test is as described in the audit objectives, and may be extended to out-of-scope contexts depending on the actual testing.
• After the audit is completed, the aelf technical team will repair and re-verify the audited problems, and the participants should actively cooperate with the verification process.

How to Sign up

Participants should clearly fill in the relevant information in the application form. After the application form is submitted, the aelf team will contact the participants in time to confirm their eligibility.

Prizes

Evaluation Criteria:

The audit report will be evaluated in terms of the submission time, content completeness, content quality, etc. The aelf team has the right to conclude the program in advance if an audit report is received that meets all the criteria, and reserves the final right to interpret the event.

Referral Prize:

You can recommend any development team to participate in the program. If your recommended team wins the prize, you will be rewarded with 888 ELF, and there will be 5 places for the Referral Prize.

Million ELF Audit Risk Fund:

Following the launch of the aelf Mainnet, an amount of ELF tokens worth USD $100,000 will be taken out of the system profits as Audit Risk Fund to reward third-party auditors (not limited to teams or individual developers) through 1-year vesting. During the vesting period, these ELF tokens will be the annual income for third-party auditors if there are no security issues or vulnerabilities on the aelf Mainnet. If there is any security issue, a corresponding amount will be deducted from the Audit Risk Fund according to the severity of the vulnerabilities (the specific criteria for this deduction were developed by the aelf team). The first Audit Risk Fund is paid by the aelf Foundation when the Mainnet goes live.

Evaluation & Feedback

Evaluation Committee:

The Evaluation Committee will be consisted of members from the aelf developer team.

Evaluation Process:

After participants submit their audit reports, the aelf developer team will confirm and evaluate the reports. The evaluation results will be sent to the auditors once evaluation is completed.

Winner Announcement:

After the program is closed, the final winner list and the prize money will be announced on aelf’s official account.

Audit Report Requirements

A. Audit objectives:

You must audit all the codes of the Exchange’s security on the aelf Public Testnet, and submit a full audit report. (Exchange-side security refers to the security problems that the Exchange may face when accessing Mainnet, such as asset loss, business interruption, etc.)

B. Audit Method:

a. Recommended Audit Method:

• Black Box: conduct security test as attackers. In black-box testing, a tester doesn’t have any information about the internal working of the software system.
• Gray Box: conduct security test on code module through script tool, observe internal running state and find weaknesses;
• White Box: based on open-source and non open-source code, vulnerability spotting is carried out on nodes, SDK and other programs.

(Black box and gray box are the key security testing methods recommended by aelf.)

b. Other audit methods: Other audit methods.

Required items:

• P2P security
• RPC security
• Encryption signature security
• Account and transaction model security
• Code compliance audit

C. Report Requirements

Click the link to check the report template: https://aelf.io/gridcn/aelf_Public_Testnet_Code_Audit_Report_en.pdf

D. Submission Process and Notice:

• Participants are required to complete the audit report before the deadline of the event and send it to [email protected]. The email’s subject should be [aelf code audit report — xxxx devs team — team contact information]
• Audit report content: Your report should have as many security tests as possible. The report should correctly describe the defects, vulnerabilities and potential coding risks in the code. These contents will be included in the final evaluation.
• The system completeness of the audit report and the order of submission will be included in the evaluation.
• Unless officially authorized by aelf, participants shall not disclose the audit reports and test data to any third party. Aelf reserves the right to take legal actions against any data breach by participants.

Some suggestions for getting started with the aelf Public Testnet and implementing code audit quickly:

• You may need to set up your own node and conduct relevant security tests on it, which helps familiarize yourself with the aelf chain quickly).
• You’d better conduct relevant security tests on the testnet or the mainnet as a whole.
• If you have any questions in the audit process, you can communicate with any time, and team will answer any questions you have. (These may include but are not limited to: the latest stable source code, relevant deployment scripts or methods, transaction signature scripts, exchange docking scheme, test token, etc.).
• The necessary information of the audit process will be recorded on Google Docs to facilitate timely communication between the audit teams and aelf.
• ‘Code Compliance Audit’ section contains the key information of the Exchange: code similarity check, code patch audit, roadmap audit, recharge program audit.