BugChan

• 

  Landing Page

• 

  Bounties Page

• 

  Bounty Details Page

• 

  Leaderboard Page

• 

  Reports Page

• 

  About Page

Inspiration

Our inspiration came from the friction and lack of trust in the current bug bounty landscape. Centralized platforms act as costly intermediaries, payment disputes are common, and researchers often have no guarantee of being rewarded for their work. We saw an opportunity to apply core Web3 principles—trustlessness, transparency, and censorship-resistance—to build a system where the rules are enforced by code, not by a company.

A key catalyst for this project was a LinkedIn post by Daniel Stenberg, the creator of curl. He detailed his frustrating experience with a centralized platform regarding a responsible vulnerability disclosure, highlighting the exact problems of opaque processes and potential unfairness that BugChan is designed to solve. His story served as a powerful reminder that even the most foundational open-source projects need a more transparent and trustless system for security, which solidified our mission.

What it does

BugChan is a fully functional, decentralized bug bounty platform that connects projects and security researchers.

• For Projects: It empowers them to create on-chain bounty programs by locking reward funds into a secure smart contract escrow. They can confidentially review encrypted vulnerability reports and manage the entire lifecycle of their program transparently.

• For Researchers: It provides a list of bounties with guaranteed, verifiable prize pools. Researchers can submit their findings securely through a client-side encryption workflow and are guaranteed an equal share of the reward if their submission is accepted. The platform’s staking mechanism deters spam and ensures high-quality submissions.

How we built it

BugChan is a full-stack dApp built as a Yarn monorepo, based on a heavily modified Scaffold-ETH 2 framework.

• Smart Contracts (Backend): The on-chain logic is written in Solidity and built using Hardhat 3. The architecture features a BountyFactory contract that deploys individual, self-contained Bounty contracts for each program. Each Bounty contract manages its own escrow, submission state, and automated settlement logic.

• Frontend dApp: The user interface is a modern Next.js application using the App Router, with all blockchain interactions managed by Wagmi and Viem. We used RainbowKit for a seamless multi-wallet experience and Tailwind CSS for the UI.

• Integrations & Core Technologies:

  • Lighthouse: We use the Lighthouse SDK for all confidential data handling. It powers our client-side encryption of reports before they are uploaded to IPFS and manages decryption access control for bounty owners.
  • Pyth Network: To provide reliable, real-time ETH/USD price data, we integrated the Pyth Network's pull oracle. We engineered a multi-layered, fail-safe fetching strategy that uses the Hermes SDK, direct on-chain reads, and legacy HTTP endpoints to ensure price data is always available.
  • Blockscout: To enhance transparency, we launched a dedicated explorer for our platform using the Autoscout self-service launchpad, allowing anyone to audit all on-chain activity.

Challenges we ran into

1. Modernizing the Toolchain: Our foundational framework, Scaffold-ETH 2, was built on Hardhat v2. We made the strategic decision to migrate the entire backend to Hardhat 3 to leverage its performance benefits and modern features. This was a significant challenge that required manually upgrading dependencies, refactoring our deployment and testing scripts, and ensuring compatibility with the rest of the stack.

2. Building a Resilient Price Oracle: A simple price feed integration wasn't enough; we needed it to be fail-safe. Engineering the multi-layered fetch logic for the Pyth Network oracle—cascading from an on-chain pull to an unsafe read, to the Hermes SDK, and finally to legacy HTTP fallbacks—was complex but essential for creating a robust user experience.

3. Designing a Secure & Usable Encryption Flow: Integrating client-side encryption with Lighthouse while maintaining a smooth user experience was a major challenge. We had to carefully design the entire flow, from authenticating the user via a signed message to managing encryption keys and sharing access, all without overwhelming the user with technical complexity.

Accomplishments that we're proud of

• A Fully Functional End-to-End Prototype: We successfully built a complete, working dApp on the Sepolia testnet. The entire lifecycle—from creating an on-chain escrow to submitting an encrypted report and receiving an automated payout—is fully functional.

• Successful Hardhat 3 Migration: We are proud of successfully upgrading the entire smart contract environment to Hardhat 3, modernizing our toolchain and making the project more performant and future-proof.

• An Incentive-Aligned Staking Model: We designed a unique and fair anti-spam mechanism where slashed stakes are sent directly to the bounty owner. This directly compensates them for their time reviewing reports, creating a stronger economic alignment than a generic platform treasury.

• A Truly Decentralized Workflow: From storage to payments, every critical component of the platform is decentralized, minimizing trust assumptions and delivering on the promise of a censorship-resistant system.

What we learned

1. Incentive Design is Everything: We learned that the specific details of the economic model are critical. Our initial idea was to send slashed stakes to a treasury, but we realized that sending them directly to the bounty owner creates a much more direct and powerful incentive loop that respects the owner's time and effort.

2. Decentralized UX Requires Careful Thought: Implementing features like client-side encryption is technically complex, but the real challenge is making it intuitive for the user. The multi-step process of signing, encrypting, and uploading taught us how to balance robust security with a user flow that feels as seamless as possible.

3. The Power of a Composable Stack: This project would not have been possible without leveraging the incredible tools built by the community. Integrating Hardhat, Pyth, Lighthouse, and Blockscout showed us the power of building with a composable, open-source stack and how it accelerates development.

What's next for BugChan

• Decentralized Governance & Dispute Resolution: Establish a decentralized Triage Team for fair dispute resolution, with a long-term vision of transitioning the protocol to full community governance via a DAO.
• On-Chain Reputation & Social Onboarding: Develop a comprehensive Profile and Reputation System where on-chain activity builds a verifiable identity, enhanced with simplified onboarding through social logins.
• Enhanced Reporting Features: Upgrade the reporting workflow to support Markdown for detailed explanations, industry-standard CVSS scoring for severity, and secure file attachments for proofs-of-concept.
• Protocol Scalability & Mainnet Readiness: Achieve production readiness by implementing upgradeable proxy contracts for future improvements, introducing flexible Bounty Pools, undergoing full security audits, and deploying to a cost-effective Mainnet or L2 network.

Built With

• hardhat-3
• lighthouse-sdk
• next.js
• rainbowkit
• react
• solidity
• typescript
• viem
• wagmi