.png)
3 years ago
172 BOOK THIS SPACE FOR AD
ARTICLE AD
Immunefi has officially launched the first version of its decentralized bug bounty protocol today, called the Whitehat Protocol, after laying out its vision less than a month ago. The protocol v0.1 is now live on xDai mainnet.
The Whitehat Protocol aims to be the first and last bug bounty solution for DeFi, and eventually the entire internet.
To date, Immunefi-sourced disclosures have prevented billions of dollars in economic damage. We’ve paid out millions in bug bounties. We’ve surfaced dozens of critical vulnerabilities in on-chain DeFi protocols. We’re trusted by projects like Synthetix, Vesper, SushiSwap, Chainlink, and Bancor. The Whitehat Protocol will help keep the community safe from devastating hacks.
How does it work?
In our previous announcement, we said we’d develop the protocol by stress testing every individual part of the bounty process in a centralized environment before porting them over to a protocol. That’s exactly what we’ve done.
The Whitehat Protocol v0.1 performs three functions:
1) it demonstrates when a bug was reported in a publicly verifiable fashion via a commit/reveal system
2) it serves as a public feed of the descriptions of the bugs found by the security community
3) it is a public feed of payments made by projects to the hackers
That the bug report itself is on-chain does not represent a security threat because we used a Merkle Tree to prove the presence of particular data (the bug report, e.g.) without revealing sensitive information about that report. Later, when the bug is fixed, the report can then be disclosed on-chain, and the hacker can claim their payment in a public fashion.
Immunefi will start paying hackers for good smart contract reports with a Proof of Concept (POC) right from the date of submission, effective immediately. For example, even before a project mitigates a bug, you can receive up to $1,000 USD for a critical. Once the project mitigates the bug, they can transfer the payment to the whitehat through the on-chain escrow, which is an important innovation because it provides full transparency.
These three components represent the first step towards a fully decentralized protocol. As promised, we’ll release new features in the weeks and months ahead.
You can find the protocol contract here: https://blockscout.com/xdai/mainnet/address/0x545Ea042F65B855Db5d1859e318C144CBB59dd09/
With the implementation here:
https://blockscout.com/xdai/mainnet/address/0x66d78Fecd6f87AC2B9E82754836984EFa79943Eb/
You can find our source code here:
https://github.com/immunefi-team/notary
What this means for projects
Projects on Immunefi do not have to interact with the on-chain mechanics if they do not want to. We will continue to provide the same white glove service and crisis support that we have so far.
Additionally, any other project can use the protocol to create an immutable record for their own bug bounty program, and leverage all future features built on the protocol.
What this means for hackers
Hackers can continue using the Immunefi bugs backend platform to submit bugs as usual. The user experience will not change at all for now, as the UI will be integrated with the blockchain.
The Road Ahead
As part of the initial release, the protocol is transparent and on-chain, but still centralized. The plan is to progressively decentralize the protocol as we add new features and stress test contracts. Currently, there is no automatic judgment of bounties on-chain. We hope to change that soon. We also intend to have real, on-chain escrowed bounties where a project can deposit a pool of money into the escrow contract to make payments out of that pool automatically; more details (and many more features) to come later.
Stay tuned for more updates. If you have any questions, join our Discord community.
We’d love to work with anyone who wants to help us create the immune system of crypto. Please apply to our jobs site here and help us build the security stack of the future.
Bengali (Bangladesh) · 
English (United States) ·