Buglapse

BugLapse: Bug bounty platform to save billions of dollars in web3 space. We are inviting every bug hunter from the MilkyWay galaxy to save our web3 smart contract funds from the blackhat hackers.

Comment

Inspiration

Everyday we see massive hacks exploited on mainnet chains and wiping out millions of dollars from the smart contracts. So why not to build the top notch platform to prevent the attacks and invite all other protocols/projects to join our platfrom to keep everyone in the Defi Space SAFE

Deployed on AURORA

Smart contracts are written in solidity and are deployed on AURORA blockchain.

  1. Vault Implementation: https://testnet.aurorascan.dev/address/0x98bc5fa1378367446b58cf92654f2adcbd1044dc
  2. Vault Factory: https://testnet.aurorascan.dev/address/0x203ebf904b438561d141966ee8a7dfe4afa7a11f

Code Base

https://github.com/youranonone1/Buglapse/tree/main/BugLapse-SmartContracts

The Causes of Smart Contract Security Flaws

Several key features of the blockchain are double-edged swords when it comes to smart contract security.

Decentralisation of the blockchain enables a trustless and pseudonymous network however, this allows adversaries to create and deploy malicious smart contracts while hiding their identity (to some degree).

Immutability of the chain means it becomes difficult to patch vulnerable smart contracts once they are deployed onto the blockchain.

With public ledgers, smart contracts are generally open-source. Developers could fall victim to replay attacks if they aren’t aware of the exposure of their smart contracts and their transactions. Replay attacks occur when an adversary “replays” another user’s or contract’s valid request for withdrawal. Failure to keep secrets can also happen if cryptography is not applied on crucial functions and values. SCSS

What it does

  1. Web3 Protocols/Projects register their smart contracts on our platform.
  2. BugLapse Team launch the project on platfrom.
  3. Bug Hunters submit the security reports to the listed projects.
  4. BugLapse triaging team (with project members) will review the reports and assign the proper severity, help to fix the critical bugs and finally reward the reporter.

How we built it

  1. Buglapse smart contracts are written in solidity and deployed on testnet Aurora blockchain.

  2. Buglapse owners of the vault factory creates unique vault for each listed protocol/project on the platform. BugLapse owners will call deploy function in VaultFactory to create the vault for each listed program.

    Function deploy(
    address owner,
    bytes calldata optionalData,
    bytes32 salt
) external payable returns (address proxy, bytes memory returnData) {
    address msgSender = _msgSender();
    // constructor takes in address + bytes array
    bytes memory bytecode = bytes.concat(
        type(BeaconProxy).creationCode,
        bytes32(uint256(uint160(address(this)))),
        _BYTES_ARR_0,
        _BYTES_ARR_1
    );
    bytes32 proxySalt = keccak256(abi.encodePacked(msgSender, salt));
    {
        assembly ("memory-safe") {
            proxy := create2(0, add(bytecode, 0x20), mload(bytecode), proxySalt)
        }
    }

    // Rolling the initialization into the construction of the proxy is either
    // very expensive (if the initializer has to be saved to storage and then
    // retrived by the initializer by a callback) (>200 gas per word as of
    // EIP-2929/Berlin) or creates dependence of the deployed address on the
    // contents of the initializer (if it's supplied as part of the
    // initcode). Therefore, we elect to send the initializer as part of a call
    // to the proxy AFTER deployment.
    returnData = proxy.functionCallWithValue(
        abi.encodeWithSignature("initialize(address,bytes)", owner, optionalData),
        msg.value,
        "BeaconCache: initialize failed"
    );

    emit Deployed(proxy, msgSender, salt);
}

  3. Bug hunters submit the report on our platform, and referenceID is assigned to this report.

  4. If the report is valid, program owner in each seperate vault will call paywhitehat function to pay the bounty hunter + 10% fees will go to our platform for each valid bug.

function payWhitehat(
        bytes32 referenceId,
        address payable wh,
        ERC20Payment[] calldata payout,
        uint256 nativeTokenAmt,
        uint256 gas
    ) public onlyOwner {
        address payable feeTo = payable(vaultFactory.feeTo());
        uint256 fee = vaultFactory.fee();
        uint256 feeBasis = vaultFactory.FEE_BASIS();

        uint256 length = payout.length;
        for (uint256 i; i < length; i++) {
            IERC20(payout[i].token).safeTransfer(feeTo, (payout[i].amount * fee) / feeBasis);
            IERC20(payout[i].token).safeTransfer(wh, payout[i].amount);
        }

        if (nativeTokenAmt > 0) {
            (bool success, ) = feeTo.call{value: (nativeTokenAmt * fee) / feeBasis}("");
            require(success, "Vault: Failed to send ether to fee receiver");
            (success, ) = wh.call{value: nativeTokenAmt, gas: gas}("");
            require(success, "Vault: Failed to send ether to whitehat");
        }
        emit PayWhitehat(referenceId, wh, payout, nativeTokenAmt, feeTo, fee);
    }

Challenges we ran into:

  1. We made our own smart contracts more secure to prevent from critical bugs i.e Reentrancy exploits, lacking access control permissions, DOS attacks.

What's next for BugLapse

  1. We will launch the BugLapse on Aurora Mainnet Blockchain.
  2. We will build the top notch front end with an excellent UX expereince.

Built With

Share this project:

Updates

posted an update

Update I also added accomplishments

  1. Spotted a critical vulnerability in Curve, saved millions of user tokens and was rewarded with $100k bounty.
  2. Spotted a critical vulnerbility in Futureswap, and was rewarded with $30k bounty.
  3. Saved the Harmony.one from second largest hack, and received proper credits and juicy bounty.
  4. Listed on Top Hall of Fames. i.e Microsoft, AT&T, Intel, and much more.

Log in or sign up for Devpost to join the conversation.