BLT icon indicating copy to clipboard operation
BLT copied to clipboard
verified publisher icon OWASP-BLT

Automatic Reward Distribution: Smart contract-based system for bug bounty rewards

Open Copilot opened this issue 3 months ago • 10 comments

Implements an automatic reward distribution system using Ethereum smart contracts that automatically distributes bug bounty rewards to successful bug hunters in their chosen cryptocurrency upon approval of their submission.

Implementation Overview

This PR adds a complete blockchain-based reward distribution system that:

  • Automatically sends cryptocurrency rewards when bugs are approved
  • Uses Ethereum smart contracts for transparent, immutable transactions
  • Supports user cryptocurrency preferences (ETH, BTC, BCH - currently ETH automated)
  • Falls back to manual distribution if automatic fails
  • Includes comprehensive security measures and testing

Changes Made

1. Smart Contract (contracts/BugBountyReward.sol)

  • Solidity smart contract for managing bug bounty rewards on Ethereum
  • Features: hunt creation, fund management, automatic reward distribution
  • Security: access control, reentrancy protection, double-spend prevention
  • Event logging for transparency and on-chain verification

2. Reward Distribution Service (website/services/reward_distribution.py)

  • Python service layer using web3.py for blockchain interaction
  • Handles transaction signing, submission, and verification
  • Configurable settings (ETH price, transaction timeouts)
  • Comprehensive error handling with graceful fallback

3. Database Enhancements

  • Issue Model: Added blockchain_tx_hash and reward_distributed_at fields to track distributions
  • UserProfile Model: Added preferred_cryptocurrency field for user preferences
  • Migration file: 0253_add_crypto_preference_fields.py

4. Workflow Integration (website/views/company.py)

  • Modified accept_bug function to trigger automatic distribution
  • Checks user crypto preferences and wallet addresses
  • Provides clear success/error feedback to users
  • Falls back to manual distribution on errors

5. Deployment Tools

  • Management command: python manage.py deploy_reward_contract for deploying to testnet/mainnet
  • Configuration validation and deployment feedback
  • Safety checks for mainnet deployment

6. Testing (website/tests/test_reward_distribution.py)

  • Comprehensive unit tests for all components
  • Mock-based blockchain interaction testing
  • Edge case and error scenario coverage
  • Model field validation tests

7. Documentation

  • docs/REWARD_DISTRIBUTION.md: Complete technical documentation
  • docs/QUICK_START_REWARD_DISTRIBUTION.md: 5-minute setup guide
  • contracts/README.md: Smart contract documentation
  • Security best practices and deployment guides

Configuration

New environment variables in .env.example:

# Blockchain configuration
ETHEREUM_NODE_URL=https://sepolia.infura.io/v3/YOUR_INFURA_PROJECT_ID
ETHEREUM_PRIVATE_KEY=your_private_key_here
CONTRACT_ADDRESS=0x_your_deployed_contract_address_here

# Optional configurations
ETH_PRICE_USD=2000  # Update regularly or use price oracle
BLOCKCHAIN_TX_TIMEOUT=120  # Adjust based on network conditions

How It Works

  1. Bug hunter submits a bug with their ETH wallet configured in profile
  2. Organization approves the bug submission with a reward amount
  3. System automatically:
    • Validates hunter's cryptocurrency preference and wallet
    • Converts USD reward to ETH (Wei) using configured rate
    • Creates and signs blockchain transaction
    • Distributes reward to hunter's wallet with reentrancy protection
    • Records transaction hash on-chain for transparency
  4. If automatic distribution fails, system falls back to manual distribution

Security Features

  • ✅ Reentrancy protection in smart contract (noReentrancy modifier)
  • ✅ Access control (only platform owner can distribute rewards)
  • ✅ Double-spend prevention through on-chain issue tracking
  • ✅ Private key management via environment variables
  • ✅ Event logging for all ETH transfers
  • ✅ Comprehensive error handling and logging

Important Notes

⚠️ Before Production Deployment:

  1. Price Oracle Required: Static ETH price must be replaced with real-time price oracle (e.g., Chainlink)
  2. Security Audit: Smart contract should be professionally audited
  3. Testnet Testing: Thoroughly test on Sepolia testnet before mainnet
  4. Key Management: Use hardware wallet or HSM for production private keys

Current Status

  • Automated Distribution: ETH only (via smart contract)
  • Manual Distribution: BTC and BCH (existing system integration possible)
  • Configuration: Disabled by default, requires environment setup
  • Testing: Ready for testnet deployment and testing

Quick Start

See docs/QUICK_START_REWARD_DISTRIBUTION.md for a 5-minute setup guide to test on Sepolia testnet.

Deployment Steps

  1. Compile contract: solc --bin --abi contracts/BugBountyReward.sol -o contracts/build/
  2. Configure environment variables (testnet first!)
  3. Deploy to testnet: python manage.py deploy_reward_contract --network testnet
  4. Test thoroughly with various scenarios
  5. Integrate price oracle before production
  6. Get professional security audit
  7. Deploy to mainnet when ready
  • Fixes OWASP-BLT/BLT#1915
Original prompt

This section details on the original issue you should resolve

<issue_title>Automatic Reward Distribution: Create a smart contract-based system to automatically distribute bug hunt rewards to successful bug hunters in their chosen cryptocurrency upon approval of their submission.</issue_title> <issue_description></issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes OWASP-BLT/BLT#1915

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot avatar Nov 23 '25 06:11 Copilot