Security Bug Bounty - VIP191 Designated Gas Payer
What is VIP191 - Designated Gas Payer

VIP191 is the implementation of the proposal submitted by Totient Labs to improve the existing Multi-party Payment Protocol (MPP) of VeChainThor blockchain. By expanding the signature field to contain an additional delegatorSignature concatenated with the sender signature, VIP191 allows someone other than the sender to co-sign a transaction in order to pay for the transaction fee, also known as a Designated Gas Payer. This improvement is going to broaden the use cases of the fee delegation feature and bring the answers to some of the questions such as:

  • How to sponsor a specific operation which calls multiple contracts in a more flexible manner?
  • How to sponsor multi-clause transactions where each clause is to a different contact?

While the MPP feature has been instrumental in building the first wave of applications on VeChainThor, we are actively engaged in growing use cases and scenarios, and glad to confirm that in the latest release v1.1.0 VIP191 will be activated at block #2,898,800 (~ Tue, 28 May 2019 04:00 GMT) on the VeChainThor testnet. VIP191 activation on mainnet will occur after the test is concluded and identified vulnerability (if any) is remediated.

You can find more info about VIP191 in the Medium article by Totient Labs.

Example Code to create a VIP 191 TX

This special bounty program limits to the VIP191 - Designated Gas Payer function feature, and ongoing bug bounties are also available on Slowmist and Hacken Proof.

What to look for
  • Transaction / messages malleability
  • Other vulnerabilities or viable attack vectors relating to the VIP191

The size of the bounty
*The rewards will be paid out in VET based on the current price.

Program Duration
From May 28, 2019 to June 18, 2019.

Tools & Links
  • Download Sync, connect to testnet, and generate wallet address by yourself and receive test tokens via faucet
  • Please find full technical documentation relating to VeChainThor blockchain in the developer information center

How to submit bug reports
Please submit your report through this FORM!

The rules of VeChain CyberSecurity Program are as follows:
  • You must not disrupt any service, or compromise personal data
  • You must send a clear textual description of the work done, along with steps to reproduce the vulnerability
  • After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a reward
  • For similar issues, only the first submission is eligible for bounty reward
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity
  • It’s entirely at VeChain's discretion to decide whether a bug is significant enough to be eligible for reward and its severity

Check out the Developer Information Center for technical documentation and Official Telegram Developer Channel to find the development resources. Please make sure you have read and agree to the rules of VeChain Bounty programs.