Introducing GoodDollar’s Basic Income Protocol Bug Bounty

GoodDollar is live and over 20,000 users have created wallets from every corner of the globe. Are you interested to learn how we plan to use smart contracts to pay for global basic income? Come learn about GoodDollar and hack our system …

A week into the launch of GoodDollar’s basic income protocol, and over 20,000 wallets have been created from more than 100 countries across the globe. Users (who GoodDollar refers to as “Claimers”) are registering from all around the world – from Australia, Albania, Argentina, and Austria, and over 100 countries starting with other letters in between. While it has been thrilling for the team to see the excitement many people have for the project, now is the time to stress test our contracts and the GoodDollar money flow.

We need your help! This blog post will hopefully explain a bit more about our GoodDollar system architecture, the smart contract value flow, and how you can participate and submit for the GoodDollar bug bounty. So let’s get into it:

GoodDollar Bug Bounty Overview 

GoodDollar has recently launched its basic income protocol (you can learn more via our White Paper and Lite Paper published here). GoodDollar is a people-powered framework to generate, finance, and distribute global basic income via the GoodDollar token (“G$ coin”). Its goal is to provide a baseline standard of living and reduce wealth inequality through the creation of a universal basic income (UBI).

This bug bounty challenge serves to stress-test the GoodDollar smart contracts. Successful submissions are at the discretion of the GoodDollar CTO, and will require evidence and documentation of any hack

Scope

The Gooddollar Bug Bounty is limited to vulnerabilities affecting the gooddollar smart contracts: DAO Contracts Staking model contracts

Awards

The severity of bugs will be assessed under the CVSS Risk Rating.

Critical (9.0–10.0): Up to $10,000 High (7.0–8.9): Up to $5,400 Medium (4.0–6.9): Up to $2,800 Low (0.1–3.9): Up to $1,000

Disclosure Requirements

Any vulnerability or bug discovered must be reported only to the following email: Hadar@gooddollar.org

The bug must not be disclosed publicly or to any other person, entity or email address other than Hadar@gooddollar.org

Please include as much detail about the vulnerability as possible including:

  • Conditions on which reproducing the bug is contingent.
  • Steps needed to reproduce the bug or, preferably, a proof of concept.
  • Implications of the vulnerability being abused.
  • Any bug reporter who reports a previously unreported bug that results in a change to the code or a configuration change and who keeps the vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution, if agreed.

Eligibility

To be eligible for a reward in the GoodDollar Bounty, you must:

  • Discover a previously unreported, non-public vulnerability that would result in a loss of or a lock of any token on GoodDollar (but not on any third party platform interacting with GoodDollar) and that is within the Scope mentioned above.
  • Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
  • Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of GoodDollar.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under the bounty program.

Other Terms

All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.

Follow The Money … Flow – Understanding GoodDollar

GoodDollar wraps around yield-generating decentralized finance protocols. Those funds are used to mint a reserve-backed crypto-asset (G$), which is used for yield-payouts to Supporters who staked capital, and distributed daily as basic income to users. Consider GoodDollar’s money flow graphic, highlighting the nine key stages, from Supporters’ staking to Claimers receiving daily basic income.

For those who are interested to understand in even more detail, the GoodDollar White Paper explains all the key monetary policy and monetary tools. The below notes, on our smart contract architecture, should assist, too.

Smart Contract Architecture

  • Supporter “stakes” cryptoasset to GoodStaking contract 
    • Currently only accepting stakes in DAI
  • GoodStaking deposits crypto-asset to a permissionless protocol
    • Currently integrated only with Compound
  • Permissionless protocol issues a “staking token”: cDAI 
  • GoodStaking issues a non-transferable record to the Supporter’s wallet
    • Supporter can withdraw “stake” at any time
  • GoodDAO contract sends a daily request to GoodStaking to collect earned interest
  • GoodStaking sends interest to GoodReserve
  • GoodDAO triggers the GoodReserve to mint G$ and sends newly minted G$ to the GoodDAO. G$ minted are used for interest yield-payouts (currently inactive) and a pool of daily basic income 
    • Interest payouts are sent back to GoodStaking (currently inactive)
  • GoodDAO sends G$ for pool of daily basic income to the UBI Scheme Smart Contract, via the Fuse bridge
  • G$ in the UBI Scheme Smart Contract is divided between all “active” users/Claimers
  • Each Claimer has a 24-hour window to log-in and claim their share of the daily basic income pool

GoodDollar’s Core Smart Contracts And API

The GoodDollar Protocol is deployed on both the Ethereum mainnet and on the Fuse sidechain. Contracts like the GoodReserve are only on mainnet, and other contracts like the UBIScheme are only on the Fuse sidechain. Certain contracts, such as the DAO and G$ Token contracts, are deployed on both networks.

Here are all of the smart contract functions and source code / addresses listed in one convenient place, just for you.

Contract Mainnet Fuse Source code
GoodDollar ERC20 0x67C5870b4A41D4Ebef24d2456547A03F1f3e094B 0x495d133B938596C9984d462F007B676bDc57eCEC GoodDollar.sol
Identity 0x76e76e10Ac308A1D54a00f9df27EdCE4801F288b 0xFa8d865A962ca8456dF331D78806152d3aC5B84F Identity.sol
GoodStaking 0xEa12bB3917cf6aE2FDE97cE4756177703426d41F   SimpleDAIStaking.sol
GoodReserve 0x5C16960F2Eeba27b7de4F1F6e84E616C1977e070   GoodReserveCDai.sol
GoodFundManager 0xbDFD60f3aE73329D33ebe17d78383DEfd72643Ad   GoodFundManager.sol
GoodMarketMaker 0xEDbE438Cd865992fDB72dd252E6055A71b02BE72   GoodMarketMaker.sol
ContributionCalculation 0x8eEC64bb6807c0178f96277cCE6a334B4e565E5C   ContributionCalculation.sol
UBIScheme   0xAACbaaB8571cbECEB46ba85B5981efDB8928545e UBIScheme.sol
FirstClaimPool   0x18BcdF79A724648bF34eb06701be81bD072A2384 FirstClaimPool.sol
AdminWallet   0x9F75dAcB77419b87f568d417eBc84346e134144E AdminWallet.sol
OneTimePayments   0xd9Aa86e0Ddb932bD78ab8c71C1B98F83cF610Bd4 OneTimePayments.sol

Resources

Other Ways To Get Involved

Again, only bug bounty submissions that are sent to Hadar@gooddollar.org will be accepted!