StaFi Protocol rBridge Bug Bounty

Event details

Summary

In the past month, the core engineers of StaFi have pulled many all-nighters to complete the development of rBridge. A cross-chain bridge on Ethereum, rBridge will act as a channel linking StaFi mainnet assets and Ethereum chains. Users can exchange FIS for ERC 20 FIS at a 1:1 rate by using rBridge. Thereafter, they will be able to access transactions, lending and other applications of the DeFi world of Ethereum.

What is the use of rBridge? It can enable FIS tokens to be traded on Uniswap. This is, of course, just one of its many applications. rBridge will help with the cross-chain inter-operation between assets on the StaFi mainnet and other ecosystems, including Ethereum, Polkadot, and Cosmos. Therefore, team will keep updating rBridge products in the future, so that FIS tokens and rToken assets issued by SatFi can freely circulate across different public chains at a low cost.

Product Introduction

Holders of FIS tokens can exchange ERC 20 FIS tokens through rBridge. Here’s how you can do so:

1) First, fill in the number of ERC 20 FIS tokens you want to exchange and the Ethereum address for the payment in StaFi rBridge product page;

2) rBridge will automatically calculate the charge of the current ETH network and calculate the amount of FIS tokens to be paid by current FIS/ETH exchange rate;

3) The user confirms and makes the payment, which will be temporarily locked in a transitional contract address;

4) When the rBridge contract deployed on the Ethereum network monitors the user’s request on the StaFi chain, it will automatically Mint out the same amount of ERC 20 FIS tokens and transfer them to the Ethereum payment address filled in by the user.

5) In less than 1 minute, the user will receive FIS tokens in ERC 20.

It should be noted that rBridge makes it really convenient for users so that they do not need to pay the commission by their ETH wallet while connecting to the StaFi wallet. Team will pay on behalf of them, so they only need to pay FIS by the current FIS/ETH exchange rate.

To encourage everyone to use rBridge products, team will not charge any service fees at the beginning. The rate scale is detailed below:

Security Audit

StaFi ETH rBridge includes 3 technical modules, which are:

1) StaFi bridge module:

https://github.com/stafiprotocol/stafi-node/tree/bridge/node/pallets/bridge

2) StaFi Relay Bridge Service:

https://github.com/stafiprotocol/chainbridge

3) ETH smart contract:

https://github.com/stafiprotocol/bridge-solidity

Team will update CertiK’s audit progress on the DAO forum: https://commonwealth.im/stafi/proposal/discussion/727-audit-process

Bug Bounty Program

Ⅰ. Function Test

1.Process

1) Test the verification of the ETH address

2) Test the initiation of a transaction

3) Test whether the transaction is successful (whether the ERC 20 token is received)

4) Test whether the number of tokens received is consistent with that of the ERC 20 tokens that were converted to ETH

2. Test document:

https://docs.google.com/document/d/1GkZhR5JyntglKftaEZT8HahADvlUqb4Kie2hY--Aa64/edit#heading=h.98mrnkn6xplb

Ⅱ. Code Testing

1. Range

StaFi bridge module:

https://github.com/stafiprotocol/stafi-node/tree/bridge/node/pallets/bridge

StaFi Relay Bridge Service:

https://github.com/stafiprotocol/chainbridge

ETH smart contract:

https://github.com/stafiprotocol/bridge-solidity

2. Process

1) Detect bugs in the code, and submit issues with regard to functions and security.

2) Find which portions of the code are to be optimized in terms of performance, security, and cost savings.

Ⅲ. Criteria

• Critical: Abnormal function, ineffective function, or security breach, etc.;
• Moderate: Defects that do not affect the function, non-security issues, such as the room for optimization, performance improvement, etc.;
• Low: Unimportant issues, some minor issues that can be modified during updates, such as modifying text or notes.

Outside the scope of the bounty program

• Repeated reports on security issues, including security issues that have been confirmed by the StaFi team;
• Theoretical security issues without pragmatic application scenarios, or issues that require complex user-interactions.

Ⅳ. Rules

1. It must be a newly discovered bug(s) that has/have not been reported before
2. The bug(s) found must be related to security issues in StaFi GitHub page code, but not other third-party code;
3. Have not written any codes of StaFi around the bug(s), and have not participated in any process that generated the bug(s) of StaFi in other ways;
4. Public disclosure will make you lose your bounty;
5. The StaFi team reserves the right to make the final decision on eligibility for the event and all rewards.

Ⅴ. Bounty rules

The bounty will be issued in the form of FIS, and the amount will depend on the severity of the bugs found.

In addition to severity, the bounty amount will be determined (but not limited to) by other factors including:

• The accuracy and details of the bug description;
• The quality of reproducibility, such as test code, scripts, and detailed instructions.