Bug Buster
Badges
About
Bug Buster is an open source bug bounty platform for web3, powered by Cartesi.
Badges
About
Bug Buster is an open source bug bounty platform for web3, powered by Cartesi.
Funds can be stolen if
Funds can be frozen if
MEV can be extracted if
| SEQUENCER FAILURE | STATE VALIDATION | DATA AVAILABILITY | EXIT WINDOW | PROPOSER FAILURE | |
| OP Mainnet L2 | Self sequence | Fraud proofs (INT) | On chain | None | Self propose |
| Bug Buster L3 • Individual | Self sequence | None | On chain | None | Cannot withdraw |
| Bug Buster L3 • Combined | — | — | — | — | — |
Sequencer failure
Self sequenceState validation
NoneCurrently the system permits invalid state roots. More details in project overview.
Exit window
NoneThere is no window for users to exit in case of an unwanted regular upgrade since contracts are instantly upgradable.
Proposer failure
Cannot withdrawOnly the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.
Fraud proofs are in development
Ultimately, Cartesi DApps will use interactive fraud proofs to enforce state correctness. This feature is currently in development and the Bug Buster DApp permits invalid state roots.
Funds can be stolen if an invalid state root is submitted to the system by the configured Authority (CRITICAL).
Funds can be stolen if the DApp owner changes the consensus implementation maliciously (CRITICAL).
All transaction data is recorded on chain
The system has a centralized operator
The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Users can force any transaction
Because the state of the system is based on transactions submitted on the underlying host chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract on the host chain directly.
Regular exit
The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is finalized the funds become available for withdrawal on L1. The process of block finalization usually takes several days to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.
Funds can be frozen if the centralized validator goes down. Users cannot produce blocks themselves and exiting the system requires new block production (CRITICAL).
The system uses the following set of permissioned addresses:
Owner of the Bug Buster Cartesi DApp. Can change the consensus reference and therefore steal all funds.
Owner of the Authority contract - the current consensus implementation. Can make arbitrary claims about the current state of Bug Buster and steal all funds in the absence of fraud proofs.
The system consists of the following smart contracts on the host chain (OP Mainnet):
CartesiDApp instance for the Bug Buster DApp, responsible for holding assets and allowing the DApp to interact with other smart contracts. This contract can store any token.
Contract that receives arbitrary blobs as inputs to Cartesi DApps.
Contract that allows anyone to perform transfers of ERC-20 tokens to Cartesi DApps (like e.g. Bug Buster).
Simple consensus model controlled by a single address, the owner.
Contract that stores claims for Cartesi DApps.
Value Locked is calculated based on these smart contracts and tokens:
DApp Contract storing bounties funds.