TrustlessDAO
@theTrustlessDAO
Followers
138
Following
23
Media
0
Statuses
18
Enhancing protections for bug bounty disclosures
On-Chain
Joined October 2024
We’re throwing down the gauntlet! 🏰 We challenge you to point out why our peer-to-peer disclosures solution, as detailed at https://t.co/wuk3WuUd1u, isn’t viable. Your feedback will help make web3 security safer, fairer, and more transparent. On guard! 🤺
Stop accepting bad behavior in bug bounty as 'normal' 🚫 IndependentDisclosure is live and ready to use 🛡️ Learn more at https://t.co/QeyhlcGBkw
0
1
4
I battled @Montyly in the DMs for HOURS yesterday on the topic of ethical disclosures. ⚔️ A great conversation that has honed my arguments. He suggested the @theTrustlessDAO process might resemble extortion or blackmail. I strongly disagree. My counterpoint: it’s not illegal
1
1
4
Inspired by @WhiteHatMage's post, I might start calling disclosures made outside traditional BBPs “wilderness bounties.” After all, “hunter” has always sounded cooler than “security researcher,” and there’s something epic about the idea of hunting in the wilderness. Not everyone
0
1
7
The mighty @MartinMarchev has answered the call! 🛡️ He’s done his part—now it’s your turn, anon. Think you can find a flaw in our mechanisms? Onward to glory! ⚔️
This was great feedback! I ran local simulations of history rewrite attacks, and while they’re possible, there’s a simple mitigation: each party maintains a local repo copy with strategic pulls at key moments (protocol pulls before assessment, researcher pulls after assessment,
0
0
2
Introducing Gradual Disclosure Process (GDP) - a structured ethical approach to vulnerability disclosure. The goal is to establish communication with the protocol while exposing as little as possible. Protocols are incentivized to establish contact in order to privately receive
2
1
4
Shout-out to @agfviggiano—he didn’t mince words when giving his feedback to “use SafeERC20” in TrustlessDAO’s IndependentDisclosure. This was simply too much for me. It led me to remove all payment and token handling from the contract since it seemed to distract everyone who
1
1
7
We received a report that our disclosure technically allows a researcher to front-run a protocol's acceptFinalTerms() call to modify severity/reward. Here's why this isn't a concern and what it teaches us about Web3 agreements 👇
7/ "But anon, it'll never work!" Alright then...tell us why: https://t.co/2PofZ4yIrx
1
1
1
93 lines of Solidity might be all it takes to instantly bring every contract on every chain into bug bounty scope.
1/ 93 lines of Solidity might be all it takes to instantly bring every contract on every chain into bug bounty scope. Introducing IndependentDisclosure - an experiment in minimal, permissionless vulnerability disclosure. Code and thoughts below
0
0
2
🧵 1/5 I initially considered a traditional escrow/collateral approach for the TrustlessDisclosure contract but deliberately chose a pure reputation approach. Here's why: 👇
@theTrustlessDAO Hey, so are we enforcing a deterrent more-so than a trustees solution e.g. escrow or a vault? Is there any exploration on an initial % of a reward being locked in, so if they do ghost, this is released and the bad rep still holds?
1
1
2
Truly a sustained assault on the idea—love to see it! Great questions, ser @Guhu95 ! It wasn’t possible to include this level of detail in my general overview, but I’ll dive into it now.👇
1
1
2
🔑 The key insight: Protocols signal value before disclosure. Their actions after disclosure are verifiable on-chain. The first 2 part of the system fund the treasury to allow continuous hands-on efforts to help reach creative settlements and to keep up pressure on bad actors.
1
0
0
3️⃣ Reputation Jail: Arbiter's verdict impacts Protocol's reputation. * Honor agreements = Rise on the Wall of Glory. * Act in bad faith = Sink on the Wall of Shame. * Reputation is recoverable by honoring agreements.
1
0
0
2️⃣ Arbiter: If the Protocol fixes the bug but ghosts the hunter (or negotiates in bad faith): * Evidence is on-chain: Accepted terms + Fix + No payment. * Arbiter reviews evidence for verifiable dishonesty. * No "he said/she said" — intentions and action are visible to everyone.
1
0
0
1️⃣ TrustlessDisclosure: A hunter finds a vulnerability in Protocol X. * They create a disclosure with initial terms (e.g., severity/reward). * Protocol accepts via transaction = "We recognize potential value." * The hunter can now disclose safely without losing leverage.
1
0
0
We’ve built a 3-part system inspired by traditional agreements but reimagined for an on-chain society. The parts are: 1️⃣ TrustlessDisclosure (on-chain agreements) 2️⃣ Arbiter (dispute resolution) 3️⃣ "Reputation Jail" (enforcement) Here’s how it works in practice 🧵👇
4
0
9
Bug bounty would be better off without the concept of scope. We’re building this future at @theTrustlessDAO
0
1
3
@theTrustlessDAO solves this. Our mechanisms empower bounty hunters to hunt without such limitations. Our TrustlessDisclosure systems will effectively put all deployed assets in scope on day 1. OOS debates will be a thing of the past. Anything less is creating an uneven playing
Recently the bounty team at TrustSec found another critical leading to live unauthenticated theft of funds. Due to what we consider malicious behavior of the project and especially of @immunefi , not only did the project get away without paying the bounty, but due to a dirty
0
1
2