The Chainlink continues its program for finding bugs and vulnerabilities. SmartContract looks forward to working with the security community to find vulnerabilities in order to keep businesses and customers safe.
The Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. Job Specifications are added to the node through a REST API so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available here.
Core Node: github.com/smartcontractkit/chainlink/core
The Chainlink node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.
We also have a project tracker where existing bugs are kept. Be sure to check there for issues that we already know about.
Solidity Smart Contracts: github.com/smartcontractkit/chainlink/evm-contracts
The smart contracts residing on the Github repository are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.
LINK Testnet Faucets: ropsten.chain.link, rinkeby.chain.link, & kovan.chain.link
The faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.
Explorers: explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link (github.com/smartcontractkit/chainlink/explorer)
Chainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.
Feeds UI: feeds.chain.link (github.com/smartcontractkit/chainlink/feeds)
The application and source code driving the Decentralized Price Reference Data page.
This guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on Discord for help.
Use Decentralized Oracles on Testnet documentation page for existing Chainlink nodes running on the Ethereum test networks. Vulnerabilities found with the official Chainlink nodes (noted by being ran by Chainlink) on this page are considered in scope.