VeChainThor VIP191

VeChain

Ended 64 days ago

VeChainThor VIP191 Designated Gas Payer function

In Scope

Target Type Severity Reward
Blockchain Critical Bounty
Severity (CVSSv3) Reward
Critical 10000$
High 5000$
Medium 2500$
Low 500$

VIP191 is the implementation of the proposal submitted by Totient Labs to improve the existing Multi-party Payment Protocol (MPP) of VeChainThor blockchain. By expanding the signature field to contain an additional delegatorSignature concatenated with the sender signature, VIP191 allows someone other than the sender to co-sign a transaction in order to pay for the transaction fee, also known as a Designated Gas Payer. This improvement is going to broaden the use cases of the fee delegation feature and bring the answers to some of the questions such as:

  • How to sponsor a specific operation which calls multiple contracts in a more flexible manner?
  • How to sponsor multi-clause transactions where each clause is to a different contact?

While the MPP feature has been instrumental in building the first wave of applications on VeChainThor, we are actively engaged in growing use cases and scenarios, and glad to confirm that in the latest release v1.1.0 VIP191 was activated at block #2,898,800 (~ Tue, 28 May 2019 04:00 GMT) on the VeChainThor testnet. VIP191 activation on mainnet will occur after the test is concluded and identified vulnerability (if any) is remediated.

You can find more info about VIP191 in the Medium article by Totient Labs.

Example Code to create a VIP 191 TX

What to look for

  • Transaction / messages malleability
  • Other vulnerabilities or viable attack vectors relating to the VIP191
  • You must not disrupt any service, or compromise personal data
  • You must send a clear textual description of the work done, along with steps to reproduce the vulnerability
  • After sending report, you cannot tell anyone or anywhere. Public disclosure of a vulnerability makes it ineligible for a reward
  • For similar issues, only the first submission is eligible for bounty reward. Note, that submissions can be sent here as well.
  • In case you find chain vulnerabilities we pay only for vulnerability with the highest severity
  • It’s entirely at VeChain's discretion to decide whether a bug is significant enough to be eligible for reward and its severity
  • The rewards will be paid out in VET based on the current price.
  • Download Sync, connect to testnet, and generate wallet address by yourself and receive test tokens via faucet
  • Please find full technical documentation relating to VeChainThor blockchain in the developer information center