Following hacking @ DEVCON1,  Martin Swende is Nr. 1 on the leaderboard of the Ethereum Bounty Program. The bounty program is ongoing and the last bounty awarded amounted to 5 BTC. The program is open to anyone. With BTC Relay getting ready for launch on Ethereum and its importance for many DApps, we want to highlight its ongoing security audit by including it in the Ethereum Bounty Program.

BTC Relay is an Ethereum contract that implements Bitcoin SPV: https://en.bitcoin.it/wiki/Thin_Client_Security

The chief purpose of BTC Relay is to pass along any sufficiently confirmed Bitcoin transaction, to a specified Ethereum contract. If someone makes a Bitcoin payment, or any arbitrary transaction on the canonical Bitcoin blockchain, the relay should be able to send it to any specified Ethereum contract. More details in the spec.

The goal is to identify security issues such as accepting invalid blockheaders, false proofs, or invalid Bitcoin transactions. Similarly, if there is a valid Bitcoin transaction which BTC Relay does not fully relay, that would also be eligible for bounties.

Please note that since BTC Relay has a separate open-source grant for bounties, major bugs will be rewarded up to 1 BTC.  Much higher rewards are possible (up to 5 BTC) in case of very severe vulnerabilities. Rewards are eligible for everyone except bounty program judges and developers of BTC Relay.

The scope is on the contract, the 5 “.se” files in the root directory of:

https://github.com/ethereum/btcrelay/tree/1466934855225b1e4a87031d299c1209ba12d503

(This is a commit on https://github.com/ethereum/btcrelay develop branch).

Not in scope is complete SPV client functionality (for example Bitcoin block timestamps are not checked to save gas costs). Better mechanisms for incentivization, gas cost and other algorithm optimization are not in scope. That said, any such feedback will still be gladly considered.

With BTC Relay now included in the Ethereum bounty program, most of the rules on http://bounty.ethdev.com apply. For examples, websites are not part of the bounty program and first come, first serve – issues that have already been submitted by another user or are already known to the team are not eligible for bounty rewards. But, this also means that beyond monetary rewards, every bounty is also eligible for:

If you’d like to join the channel for BTC Relay, it is open to all at https://gitter.im/ethereum/btcrelay.  The bounty program will run for a few weeks before launching BTC Relay to Frontier.  Here are some items to discuss with the community and open questions for the Frontier launch:

Finally, the BTC Relay Bounty Program was added in “news & updates” to bounty.ethdev.com a couple of weeks ago, and has already attracted 1 bounty submission!