DevLog 14 - Using a Catallax Trust to Pay Bug Bounties

Fresh off DevCon 3 we have our first bug submitted on the Catallax Trust.  Github user NickErrant pointed out in this github issue that a franchisee could lock up funds by pointing their payment address to a contract that throws on the fall back function.

Generally you can trust that people that want to get paid by a contract won’t do this, but in the case of a Catallax Trust the franchisee could be disgruntled about their payout or choose to protest for some other reason and lock up the contract.

The reason this can happen is that if address.transfer function fails then the function will throw.  Because our withdraw() function pays out to the franchisee if they exist they can block the payment.  The simple fix (and the one we’ve taken at the moment) is to use address.send instead.  If this fails it just returns false and the rest of the function continues to function.

A better solution is to use the withdraw pattern and just set the money aside for the franchisee to come get later.  This requires another storage variable in the contract so it has some cost.

We haven’t deployed the factory to produce this new contract yet so don’t set up a franchise contract until we do so. If you are interested in setting one of these up, please reach out to us and we will work with you to get everything setup correctly.

Nick raised a good point when reporting the bug that bug bounty contracts where you just try to steal the funds have pretty poor incentives for bug hunters.  As a result, we’ve made Nick the beneficiary of the bug bounty contract.  On 11/16 he’ll be able to call withdraw and get out 1/24th of the current balance.

We will leave Nick as the beneficiary until we get our next valid bug report.  At that time, provided the bug is as serious as Nick’s, we will unlock the beneficiary and transfer it to the new bug hunter 36 days later.

Of course, if you'd like to try to steal the money out of the trust you can do that too.

If you’d like to use a Catallax Trust for one of your own bug bounties please reach out to us and we can help you set it up.  The trust supports ETH and ERC20 tokens.

You can find the source code for the contracts here:

Pull down the repo and load them up in remix to interact with the contracts.

If this is interesting to you and you'd like to see where we are going with Catallax, please pick up my book Immortality (Purchase of a physical or kindle copy helps support this project).

Donations always accepted at:

BTC: 1AAfkhg1NEQwGmwW36dwDZjSAvNLtKECas

ETH and Tokens: 0x148311c647ec8a584d896c04f6492b5d9cb3a9b0

If you would like more code articles like this please consider becoming a patron on patreon.

You can discuss this article and more at our reddit page r/Catallax.