StaFi rETH Bug Bounty

Details

Overview

After pulling many all-nighters, the StaFi team has finally developed rETH, a solution to the liquidity of ETH2.0 staking, with the help of community contributors. Once accessible, Stakers will be able to Stake freely in the ETH2.0 ecosystem. More importantly, the minimum Staking amount will be lowered to 0.01 ETH instead of the 32 ETH required by ETH. The rETH a user obtains after Staking can circulate, and he or she can virtually enjoy the real decentralized Liquidity Staking.

On the other hand, any validator can deposit 8ETH in the StaFi rETH contract in order to run a node in the ETH 1.0 Deposit contract. This is because a validator’s deposit will be combined with another 24ETH from StaFi users’ funds. The above validator will virtually become an Original Validator of rETH, enjoying staking rewards that are much higher than that of self-operating nodes.

For a detailed introduction to the rETH solution, please check: https://medium.com/stafi/official-release-of-stafi-staking-liquidity-solution-for-ethereum-2-0-8f1557763cfd

Security Audit

The contract of rETH contract will be formally submitted to a third-party auditing agency this week. At the same time, the Open Beta of Bug Bounty will be accessible by the StaFi community. Submission of any Bug you find during the experience will be eligible to win up to $25,000 as reward. When all tests and the audit phase are over, team will officially release rETH.

Function test stimulus

1) Period

• Start from: December 18, 2020, 21:00 (UTC+8)
• End at: January 7, 2021, 21:00 (UTC+8)

2) Related document

3) User testing task and incentives

• Task: Stake 5 times, 10 ETH each time.
• Incentives: The first 200 participants who complete the task will win 10 FIS (ERC20 FIS). Be sure to memorize the test address which will be used to receive the reward.

When you complete the task：

1. Forward the related Tweet from StaFi official Twitter account with the screenshot of your Staking operations, Staking ETH address (the same as the address in the screenshot).
2. At the same time, please @ three of your friends in the crypto community.

4. Validator task and incentives

• Task: Run the validator node through rEth and obtain more than 0.02 ETH on the Eth 2.0 testnet.
• Incentives: The top 100 validators who complete the above task will win 200 FIS (ERC20 FIS). Be sure to memorize the test address which will be used to receive the reward.

Before starting the task, you need to join the StaFi validator test group: https://t.me/stafi_reth.

When the test is completed:

1. Send the deposit ETH address, the pubkey(as shown in the figure below) in the deposit_data*.json file, and @Telegram ID@ sara8721 in the telegram group.
2. Forward the related Tweet from StaFi official Twitter account with the screenshot of your staking dashboard, deposit ETH address, the pubkey (as shown in the figure below) in the deposit_data*.json file;
3. At the same time, please @ three of your friends in the crypto community.

For any bug, vulnerability, or details that might need optimization, you are welcome to report through the same channel as that of bug submission. 

Code vulnerability testing incentives

1. Test content

• https://github.com/stafiprotocol/stafi-node

2.Criteria

• Critical: Abnormal function, ineffective function, or security breach, etc.;
• Moderate: Defects that do not affect the function, non-security issues, such as the room for optimization, performance improvement, etc.;
• Low: Unimportant issues, some minor issues that can be modified during updates, such as modifying text or notes.

Outside the scope of the bounty program

• Repeated reports on security issues, including security issues that have been confirmed by the StaFi team;
• Theoretical security issues without pragmatic application scenarios, or issues that require complex user-interactions.

3. Rules

1. It must be a newly discovered bug(s) that has/have not been reported before
2. The bug(s) found must be related to security issues in StaFi GitHub page code, but not other third-party code;
3. Have not written any codes of StaFi around the bug(s), and have not participated in any process that generated the bug(s) of StaFi in other ways;
4. Public disclosure will make you lose your bounty;
5. The StaFi team reserves the right to make the final decision on eligibility for the event and all rewards.

4. Bounty rules

The bounty will be issued in the form of FIS, and the amount will depend on the severity of the bugs found.

In addition to severity, the bounty amount will be determined (but not limited to) by other factors including:

• The accuracy and details of the bug description;
• The quality of reproducibility, such as test code, scripts, and detailed instructions.

5. Submission Method

When you find bug(s), please send a report to: [email protected]. Please attach your name, email, company name (optional), description of the bug(s), your opinion on what is the potential impact of that bug on StaFi rBridge, and how you discovered that bug.