Bounties for the Wild West

I am almost certainly not the first to compare the Cryptocurrency ecosystem to the Wild West. The comparison doesn’t come out of the blue though, as the current cryptocurrency ecosystem is unregulated, intransparent and insecure for unexperienced users and crowded with bad actors. I believe that it is of high importance that the community establishes its own rules and self-governance methods. So who’s gonna play Sheriff in this new world?

The key puzzle to unlocking the cryptocurrency ecosystem to a broader, more mainstream and less tech-savvy audience lies in creating a sense of security for such potential users. Someone who can barely distinguish between a browser and a mail client will not be able to review and audit a smart contract’s code even if the code is transparently available on Etherscan.

Protecting your infrastructure and writing secure software is hard, as I already explained in a previous post. Even big companies such as Google, Facebook and others acknowledge that, even though they have arguably the best engineers in the world writing their code and the most resources to secure it. Yet they opt to not just trust their capabilities but instead let the whole world help fixing their bugs. They call that a “bounty campaign”.

What’s a bounty campaign?

A bounty campaign is essentially a fund that rewards users for reporting security exploits, bugs and other issues that could cause damage to the company. What a great way to reward good behaviour, right?

Unfortunately bounty campaigns don’t always go down so fair in the real world. There are numerous stories of honest bounty hunters who don’t get their reward. But even worse, some companies instead of rewarding bounty hunters, actually go after those and harass them with lawsuits.

So, while in theory a bug bounty encourages doing the morally right thing, it puts the risk on the bounty hunter’s shoulders. It is much safer and also more rewarding to sell an exploit on the black market anonymously than claiming the bounty via an official bounty campaign.

How can we fix bounty campaigns?

What a dilemma. But how do we get out of this mess? Isn’t there a way to make those companies play fair? Yes. That is actually a great use case for blockchain — we can establish trust between parties that do not trust each other.

I already wrote about Quantstamp creating a network to audit smart contracts and detecting bugs. But they are not the only player on the field: While Quantstamp has a broad take on improving smart contract security, the 0xbounty project focuses on the scenarios I explained above: bounty campaigns. They are essentially building bounty campaigns on the blockchain.

How do bounty campaigns on the blockchain work?

On the 0xbounty network you have 3 different roles:

• The bounty host: Someone who wants to reward others for finding flaws and vulnerabilities in their project
• The bounty hunter: Someone who has the expertise to audit and find those flaws in a project
• The bounty sheriff: Someone who reviews the work of the bounty hunters.

So, instead of trusting the company the bounty hunters now have to trust a third party that can easily be corrupted? Fortunately it’s not that simple. The bounty sheriff puts something on the line — their stake — and in turn gets a reward for doing their work properly. If the bounty sheriff misuses their power they can lose their stake.

Through this setup we can establish trust between those three mistrusting parties. Now the incentives are aligned:

• The bounty hunter can rest assured that their contributions will be rewarded and not used against them
• The bounty host knows that all submissions from bounty hunters are checked by experts which costs them less administration work and greatly increases their reputation and efficiency of a bounty campaign.
• The bounty sheriffs get rewarded for doing their job properly. If they don’t, they get punished, so they are incentivised to work thoroughly.

When can we have it?

The 0xbounty project has a working Alpha version released already — you can check it out here. There are loads of interesting bounties that they have created around their own platform as well as their token sale.

A few last words

I hope this introduction to a specific problem and the review of a new project was helpful to you. If you have any further questions, please add a comment below!