Polkassembly Logo

Head 1
Head 3
Head 4
Create Pencil IconCreate
TRACKS
ORIGINS
Report an issueNeed help with something?
Foot 1
Foot 2
Foot 3
Foot 4
OpenGov
View All Bounty
Cancelled

Security Bug Bounty for Open Runtime Module Library (ORML)

3 years ago

This bounty aims to allocate up to 100,000 DOT for covering bug bounty rewards for Open Runtime Module Library (ORML). ORML is a community-maintained collection of Substrate runtime modules, widely used across the Polkadot/Kusama parachains.

Context of the bounty:

The Open Runtime Module Library is a community-maintained library widely used by parachains across Kusama and Polkadot ecosystems. It’s a set of runtime pallets for commonly used functions that parachains may need. It allows constructing parachains with less time for development and focusing more on unique features. This helps the Kusama/Polkadot ecosystem grow faster.

Vulnerabilities in ORML are a common problem of Kusama/Polkadot community and will affect the whole ecosystem. Acala Foundation is running a bug bounty program that includes the ORML library. We propose to allocate up to 100,000 DOT to cover ORML part of Acala Bug Bounty.

Problem Statement

ORML is a commonly used library across the Kusama/Polkadot ecosystems, vulnerabilities and security issues of this module will likely affect the whole network.

Custody of funds

The main curator is suggested to be a multisig wallet controlled by Acala, Parity and potentially other users of ORML. Those who control the multisig wallet will be able to assess the validity and severity of found vulnerabilities, as well as to check their fixing.

Curator Multisig Candidates (3/5 multisig)

Bryan Chen @ Acala
Bryan is the co-founder & CTO of Acala as well as the initiator and core contributor of ORML. He is also one of the top community contributors to Substrate and Polkadot.

Shaun Wang @ Acala
Shaun is one of the core developers at Acala, and core contributor of ORML. He is also an active contributor to Polkadot, Substrate and Cumulus.

Shawn Tabrizi @ Parity
Shawn is one of the Lead Developers at Parity Technologies working on Substrate, Polkadot, Kusama. He specializes in FRAME, Runtime development, and benchmarking.

Wei Tang @ Parity
Wei is one of the core developers at Parity Technologies. He maintains Frontier, the Ethereum-compatibility layer for Substrate.

Shumo Chu @ Manta
Shumo is a co-founder of manta.network, the privacy layer for Web3 using zkSNARK. He was serving as research scientist at Algorand and assistant professor at UCSB before Manta.

Additional costs

Acala team uses Immunefi as a service for managing bug bounty programs.
Immunefi charges an additional 10% for each reward paid to whitehat. The service gives the next advantages:

  • Manages privacy in submitting reports helps ensure that the vulnerability is fixed before being exposed to publicity;
  • Immunefi serves as a third trusted party for resolving conflicts in submitting the same vulnerability by different bug bounty hunters;
  • Provides secure communication with whitehats;
  • Tracking & filtering out irrelevant reports;
  • Exposure to a wide set of whitehat hackers.

Cost Estimate

It is not possible to precisely estimate costs, as we don't know how many bugs with what severity can be found. Acala is working hard on finding vulnerabilities ourselves and doing frequent security audits. We propose to allocate rewards that will cover ~1.5 of the most severe bugs; and, if necessary, we can propose another allocation.

Technical Process

Bug bounty rewards for ORML are paid in DOT. Each vulnerability needs separate payment, for which can be created child bounties with reward amount and 10% of Immunefi fee. The child bounty is curated by Immunefi team wallet, with the support and supervision of the on-chain curator, and they manage to pay out to the whitehat and take their commission.

The following consists of the next steps:

  • Whitehat submits bug report to Acala via Immunefi;
  • The report will be accessed by the Acala team for its validity and specified level of severity;
  • The bounty details will be disclosed to the relevant party (e.g. Parity and affected parachain teams);
  • After the bug is mitigated, the Acala team will determine the bounty value based on severity along with the curator;
  • A child bounty will be created by the curator and funds transferred to pay out whitehat + fee to Immunefi for the work completed.

Measure of Success

Vulnerabilities and security issues of ORML found by whitehat from bug bounty programs are carefully fixed on time.

Comments (4)

3 years ago

Up for vote by Council as motion 167.

3 years ago

Request for amendment

I would like to request for an amendment to the scope of this bounty. In addition to ORML, also cover bug bounty for Frontier.

Frontier is Substrate's Ethereum compatibility layer. Similar to ORML, it is used by multiple parachains including but not limit to Acala, Moonbeam and Astar. Therefore it is also critical to run a bug bounty for Frontier to incentivize researchers to help strengthen the security of Frontier and the all the EVM parachains.

Bug submission

Please submit Frontier bugs to Acala bounty program at Immunefi. Submissions to Moonbeam or Astar's Immunefi may also be accepted.

Load more comments
PleaseLogin to comment

Child Bounties

Comments (4)

3 years ago

Up for vote by Council as motion 167.

3 years ago

Request for amendment

I would like to request for an amendment to the scope of this bounty. In addition to ORML, also cover bug bounty for Frontier.

Frontier is Substrate's Ethereum compatibility layer. Similar to ORML, it is used by multiple parachains including but not limit to Acala, Moonbeam and Astar. Therefore it is also critical to run a bug bounty for Frontier to incentivize researchers to help strengthen the security of Frontier and the all the EVM parachains.

Bug submission

Please submit Frontier bugs to Acala bounty program at Immunefi. Submissions to Moonbeam or Astar's Immunefi may also be accepted.

Load more comments
PleaseLogin to comment

Help Center

Report an Issue
Feedback
Terms and Conditions
Github

Our Services

Docs
Terms of Website
Privacy Policy

A House of Commons Initiative.

Polka Labs Private Limited 2025

All rights reserved.

Terms and ConditionsTerms of Website
Privacy Policy