# Eth2 Phase 0 _Pre-Launch_ Bounty Program We are excited to kick off the _Eth2 Phase 0 Pre-Launch Bounty Program_. This program is designed to incentivize _you_ to find and report bugs in the [core Eth2 Phase 0 specs](https://github.com/ethereum/eth2.0-specs/tree/master) prior to mainnet launch 🐛. The Ethereum Foundation will run this program from now until just prior to the Phase 0 mainnet launch. After Phase 0 is in production, we will transition Phase 0 bounties to the standard [Ethereum Bounty Program](https://bounty.ethereum.org/). **Note**: As of 2020/5/6 all rewards have been _doubled_ for a maximum reward of $20k for critical bugs :) **Note**: As of 2020/6/22, the [Solidity eth2 deposit contract](https://github.com/axic/eth2-deposit-contract) and [formal verification](https://github.com/runtimeverification/deposit-contract-verification/blob/master/deposit-contract-verification.pdf) have been added to the scope of the bounty program [toc] ## Rules * The [Phase 0 Beacon Chain](https://github.com/ethereum/eth2.0-specs/blob/master/specs/phase0/beacon-chain.md) and [Phase 0 Fork Choice](https://github.com/ethereum/eth2.0-specs/blob/master/specs/phase0/fork-choice.md) specs in the `master` branch as well as the [Solidity eth2 deposit contract](https://github.com/axic/eth2-deposit-contract) and [formal verification](https://github.com/runtimeverification/deposit-contract-verification/blob/master/deposit-contract-verification.pdf) are currently in scope * Issues that have already been submitted by another user or are already known to the Ethereum Foundation are not eligible for bounty rewards * All bugs must be reported as an issue or PR to the [eth2.0-specs repo](https://github.com/ethereum/eth2.0-specs) * Anonymous submissions can be made to [email protected] but are _not_ eligible for reward * The Ethereum Foundation is solely responsible for judging the validity and severity level of the reported bug * Awards can be redeemed in ETH or DAI * Eth2 client teams are eligible to participate but will have a higher level of scrutiny (e.g. no hoarding bugs, no introducing bugs during the spec writing process, etc). The EF research team is not eligible. **Note:** Only the [core eth2 _specs_](https://github.com/ethereum/eth2.0-specs) are in scope. Client impementations can be a useful tool in understanding and debugging the spec, but bugs in client implementations are _not_ currently up for bounty. ## How to report All bugs must be reported as an issue or PR to the [eth2.0-specs repo](https://github.com/ethereum/eth2.0-specs). Please follow this reporting structure to aid in prompt review: * Prefix the name of the Issue/PR with "[Bug Bounty]" * Use the following structure for the body of the Issue/PR * **Description**: _High-level description of the bug [1 sentence]_ * **Attack scenario**: _More detailed description of the attack/bug scenario and unexpected/buggy behaviour [1 to 3 sentences]_ * **Impact**: _Describe the effect this may have in a production setting [1 to 2 sentences]_ * **Components**: _Point to the files, functions, and/or specific line numbers where the bug occurs [1 to 2 sentences]_ * **Reproduction**: _If used any sort of tools/simulations to find the bug, describe in detail how to reproduce the buggy behaviour. Showcasing the bug using the python spec and associated test infrastructure found in the spec repo is preferred!_ * **Details**: _Very specific details about the bug. What state must the system be in, what types of messages must be included and in which order, etc_ * **Fix**: _Description of suggested fix if available_ ## Severity levels and rewards The following "severity levels" are used to classify the severity of bugs and to reward those found in this bounty program. Amounts are denominated in USD. **Note**: As of 2020/5/6 all rewards have been _doubled_ for a maximum reward of $20k for critical bugs :) * **Low -- $1000** * Definition: Has little to no impact on the functionality of the beacon chain system, but can still be considered a "defect" and is worth fixing * Examples: * In some scenarios, justification bits are improperly updated, but resulting finality calculations are still correct * **Medium -- $5000** * Definition: Does not influence the primary operation of the beacon chain system, but is not the intended behavior * Examples: * Attestation rewards during an epoch are given to `N - 1` of the participants as opposed to all `N` of the participants * In some scenarios, the inactivity leak begins after `MIN_EPOCHS_TO_INACTIVITY_PENALTY + 1` epochs instead of the expect `MIN_EPOCHS_TO_INACTIVITY_PENALTY` epochs. * **High -- $10000** * Definition: Impacts the primary operation of the beacon chain, but does not cause the system to crash or fully stop finalizing * Examples: * In certain states, finality calculations only occur every 4th epoch instead of every epoch * Some subset of valid blocks cannot be successfully added to the block tree in the fork choice * **Critical -- $20000** * Definition: Causes the beacon chain system to crash, entirely stop finalizing, or otherwise break in a critical way * Examples: * System can enter a state in which it can no longer update finalized checkpoint even when sufficient attestations have been included on chain * System can enter a state in which new, valid blocks cannot be added to the block tree in fork choice * In some scenarios, honest validators can be slashed * Underflow or overflow occurs in rewards calculations, resulting in unexpected minted (or destroyed) ETH or client crashes ## Useful resources * [Core eth2 specs](https://github.com/ethereum/eth2.0-specs/tree/master) * [Executable spec on pypi](https://pypi.org/project/eth2spec/) -- `pip install eth2spec` * [Design rationale](https://notes.ethereum.org/@vbuterin/rkhCgQteN?type=view) * [Phase 0 for Humans](https://notes.ethereum.org/@djrtwo/Bkn3zpwxB?type=view) -- note, a version behind but still useful * [Annotated Spec](https://benjaminion.xyz/eth2-annotated-spec/) * [Eth R&D discord](https://discord.gg/VmG7Uxc) -- we're happy to answer questions! ## Privacy The Ethereum Foundation is not responsible for any private information that might be leaked as a result of this bounty program. In the event that the reporting of a bug _does leak_ private information (e.g. logs from a testnet containing IP addresses), we ask that you withhold any such information in the public report. Instead, please note that there are additional accompanying resources to be shared, and the bug bounty evaluators will be in touch. ## Important legal information This bug bounty program is an experimental and discretionary rewards program for our active Ethereum community to encourage and reward those who are helping to improve the platform. It is not a competition. You should know that we can cancel the program at any time, and awards are at the sole discretion of Ethereum Foundation. In addition, we are not able to issue awards to individuals who are on sanctions lists or who are in countries on sanctions lists (e.g. North Korea, Iran, etc). You are responsible for all taxes. All awards are subject to applicable law. Finally, your testing must not violate any law or compromise any data that is not yours.