How to create a bug bounty for smart contract project on Bug Buster's Testnet environment

# How to create a bug bounty for smart contract project on Bug Buster's Testnet environment In the [last tutorial](https://hackmd.io/@claudioantonio/smartcontract-on-bugbuster), you learned how to create a bug bounty for a smart contract project on Bug Buster from scratch, but running in development mode locally on your computer. This time you will be able to accomplish the same goal, but in Bug Buster's Testnet environment! What is the difference? You will not need to worry about some steps and following the tutorial now will be much more easier and quicker. Time is money, isn't it? :wink: ## Requirements In order to follow this tutorial you will need to have the following dependencies installed on your machine: - [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) - [Foundry framework](https://book.getfoundry.sh/getting-started/installation) ## Preparing the project To demonstrate how to submit a bounty for a smart contract project, let’s start with a new Forge project from scratch. 1. Create a directory called `counter-bounty` ``` bash mkdir counter-bounty cd counter-bounty ``` 2. Create a forge project in it ``` bash forge init ``` 3. Let's start deleting the files `script/Couner.s.sol` and `tests/Counter.t.sol` which are created by default, but will not be used in this tutorial. ```bash rm script/Counter.s.sol test/Counter.t.sol ``` 4. Also by default, forge creates a smart contract on `/src` folder called `Counter`, which has a state variable `number`, whose value can be set calling the function `setNumber` and can be incremented by 1 calling the function `increment`. See the code below. ```solidity // SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.13; contract Counter { uint256 public number; function setNumber(uint256 newNumber) public { number = newNumber; } function increment() public { number++; } } ``` 5. For the purpose of this tutorial, let’s change a bit this code by changing the function `increment` to intentionally insert an [arithmetic overflow](https://101blockchains.com/underflow-and-overflow-vulnerabilities-in-smart-contracts/) vulnerability. :::danger Never do this on code that is intented to be deployed on mainnet! ::: ```solidity // SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.13; contract Counter { uint256 public number; function setNumber(uint256 newNumber) public { number = newNumber; } function increment() public { unchecked { number++; } } } ``` 6. Great! You are almost there. Now, you will need to create a `start.sh` script file in the root folder, which is the [entry point for the execution](https://hackmd.io/@claudioantonio/smartcontract-on-bugbuster#:~:text=should%20contain%20a-,start.sh,-file%2C%20which%20is) of your project on Bug Buster. This script must: deploy your contract, set the initial state, execute the exploit code and, finally, run the assertions to check if the contract was exloited or not. Just paste the code below and read the comments to understand the sequence of actions. ```bash #!/usr/bin/env bash source ./setup-exec-env.sh >&2 echo "Deploying and registering project contracts..." COUNTER=$(deploy_and_register src/Counter.sol Counter) >&2 echo "Deploying exploit contract..." EXPLOIT=$(deploy src/Exploit.sol Exploit) >&2 echo "Running exploit..." send "$EXPLOIT" 'run(address)' "$REGISTRY" >&2 echo "Verifying contracts after exploit execution..." number=$(cast call "$COUNTER" 'number()(uint256)') if [ "$number" -eq 0 ] then >&2 echo "Valid exploit!" exit 0 else >&2 echo "No exploit found." exit 1 fi ``` :::warning Set the execution permission for this file using the following command: chmod +x start.sh ::: 7. As you may have noticed, the `start.sh` file that was provided depends on another script called `setup-exec-env.sh`. This script prepares Bug Buster's execution environment and must be kept with no modifications! :wink: You can download it using the commands below. ```bash wget https://raw.githubusercontent.com/crypto-bug-hunters/bug-buster/refs/heads/next/tests/bounties/src/adder/setup-exec-env.sh chmod +x setup-exec-env.sh ``` 8. You will also need to add 2 more files to your project: a smart contract called `Register.sol` and its corresponding interface `IRegistry.sol`. As their name suggest, they register the deployment addresses of the project's contracts and make them available for all execution stages declared in the `start.sh` file (it will become clearer later, when you read about the exploit code example). Download these files inside the `src` folder using the command below. ```bash wget https://raw.githubusercontent.com/crypto-bug-hunters/bug-buster/refs/tags/v0.10.0-alpha.1/tests/bounties/src/adder/src/Registry.sol wget https://raw.githubusercontent.com/crypto-bug-hunters/bug-buster/refs/tags/v0.10.0-alpha.1/tests/bounties/src/adder/src/IRegistry.sol ``` 9. At this point you should be able to compile the code to check if everything is working as expected. You can do it by executing the following command and the result should be "Compiler run successful!". ``` bash forge build ``` 10. Now, we have everything set up to create your bounty's bundle. The command below creates the `counter-bounty.tar.xz` file using the Forge cache to list all Solidity files necessary to compile the project. This helps reduce the size of the bundle, and, therefore, the cost of the base layer transaction. ```bash jq -r '.files|keys[]' cache/solidity-files-cache.json | \ xargs tar -cJf counter-bounty.tar.xz setup-exec-env.sh start.sh foundry.toml ``` ## Creating the bug bounty 1. Access Bug Buster in Testnet: https://preview.bugbuster.app/ 2. Click on *Explore bounties*. 3. Click on *Create bounty*, and fill in the required form fields. - For the *Token Address* field, enter the address for any existing ERC-20 contract on Optimism Sepolia. For example, USDC address on Optimism Sepolia is `0x5fd84259d66Cd46123540766Be93DFE6D43130D7`. - Upload the `counter-bounty.tar.xz` file. 4. When ready, click on the *Create* button. - Your wallet will ask you to confirm the transaction. Do it and wait until the notification with your transaction confirmation arrives. 5. Once the transaction is confirmed, navigate back to the *Explore bounties* page and your recently created bounty must be listed there (sometimes it takes 2-3 seconds to appear). ## Testing the bug bounty All right! The bug bounty for your project was created and now you can send some solidity code to interact with it. 1. Click on your bounty card in the *Explore bounties* page. 2. Confirm that your wallet is connected. 3. Click on *Submit exploit* and fill the required fields in the form. In the script tab, paste the code below that just initializes `number` to 1 and then call the increment method. ``` solidity // SPDX-License-Identifier: Apache-2.0 pragma solidity ^0.8.27; import {IRegistry} from "src/IRegistry.sol"; import {Counter} from "src/Counter.sol"; contract Exploit { function run(IRegistry registry) external { Counter counter = Counter(registry.get("Counter")); counter.setNumber(1); counter.increment(); } } ``` 4. Click on *Submit* and wait until the notification informing that your transaction was successful. 5. Once the transaction is confirmed, navigate back to the *Explore bounties* page and find the card for your bounty. You will see that there will be no red badge informing "Exploited" on it. Isn't it awesome!? You submit a solidity code to interact with the bug bounty for the `Counter` smart contract running in a sandboxed production-level EVM (Reth) inside an altVM (Cartesi Machine)! :shocked_face_with_exploding_head: ## Hacking the bug bounty Now it is time to become a white-hat-hacker and submit a code to exploit the arithmetic overflow that was introduced. 1. Follow the same steps of the last section, but this time paste another solidity code to exploit the vulnerability that was intentionally added in the `Counter` smart contract and click on *Submit* button. ```solidity // SPDX-License-Identifier: Apache-2.0 pragma solidity ^0.8.27; import {IRegistry} from "src/IRegistry.sol"; import {Counter} from "src/Counter.sol"; contract Exploit { function run(IRegistry registry) external { Counter counter = Counter(registry.get("Counter")); uint256 currentNumber = counter.number(); uint256 maxUint256 = type(uint256).max - currentNumber; counter.setNumber(maxUint256); counter.increment(); } } ``` 2. Once the transaction is confirmed, navigate back to the *Explore bounties* page and find the card for your bounty. Now, you will see the red badge informing "Exploited"! 3. If you navigate to the *Vouchers List* page, you will see a voucher that will allow you to receive your reward. ![list vouchers](https://hackmd.io/_uploads/ryZLbYerkg.png) ## Proposal to dig deeper If you would like to explore more the smart contracts bounty feature, try to create a bug bounty for your own project or for a project that you like/support/use. :wink: ## Thank you! Thanks for following this tutorial and learn more about Bug Buster! :beetle: If you have any comments, suggestions and/or doubts, please don't hesitate to reach out through our [Telegram group](https://t.me/BugBusterApp) or [X account](https://x.com/BugBusterApp).