Accept ERC-20 tokens instead of ETH (#87)

README.md

@@ -8,7 +8,7 @@ As a result, developers are able to unfairly underpay whitehats, or even refuse
 
 To solve this issue, we have developed Bug Buster—a trustless bug bounty platform powered by [Cartesi Rollups](https://www.cartesi.io/).
 Running inside a deterministic RISC-V machine that boots Linux, Bug Buster accepts applications written in any major programming language[^1].
-Through a friendly web interface, anyone can submit applications, and sponsor them with Ether to incentivize hackers! All major wallets are supported[^2].
+Through a friendly web interface, anyone can submit applications, and sponsor them with ERC-20 tokens to incentivize hackers! All major wallets are supported[^2].
 Meanwhile, hackers can test their exploits right on the browser, without even having to sign Web3 transactions!
 Once the hacker finds a valid exploit, they can finally send a transaction requesting the reward to be transferred to their account.
 If, however, no one is able to submit a valid exploit until a certain deadline, the sponsors may request a refund.

cli/cmd/send.go

@@ -9,6 +9,7 @@ import (
  "os/exec"
  "time"
 
+ "github.com/ethereum/go-ethereum/common"
  "github.com/ethereum/go-ethereum/common/hexutil"
  "github.com/rollmelette/rollmelette"
  "github.com/spf13/cobra"
@@ -52,15 +53,14 @@ func sendDo(inputKind shared.InputKind, payload any, send func(string, context.C
  log.Printf("input added\n%s", output)
 }
 
-func sendEther(txValue *big.Int, inputKind shared.InputKind, payload any) {
+func sendERC20(token common.Address, value *big.Int, inputKind shared.InputKind, payload any) {
  sendDo(inputKind, payload, func(inputJsonStr string, ctx context.Context) ([]byte, error) {
  cmd := exec.CommandContext(ctx,
  "cast", "send",
  "--unlocked", "--from", sendArgs.fromAddress,
- "--value", txValue.String(),
- addressBook.EtherPortal.String(), // TO
- "depositEther(address,bytes)", // SIG
- dappAddress, inputJsonStr, // ARGS
+ addressBook.ERC20Portal.String(), // TO
+ "depositERC20Tokens(address,address,uint256,bytes)", // SIG
+ token.String(), dappAddress, value.String(), inputJsonStr, // ARGS
  )
  return cmd.CombinedOutput()
  })

cli/cmd/sponsor.go

@@ -5,6 +5,7 @@ import (
  "log"
  "math/big"
 
+ "github.com/ethereum/go-ethereum/common"
  "github.com/spf13/cobra"
 )
 
@@ -18,24 +19,23 @@ var (
  sponsorBountyIndex int
  sponsorName string
  sponsorImgLink string
+ sponsorToken string
  sponsorValue string
 )
 
 func sponsorRun(cmd *cobra.Command, args []string) {
- etherValue, ok := new(big.Float).SetString(sponsorValue)
+ value, ok := new(big.Int).SetString(sponsorValue, 10)
  if !ok {
  log.Fatalf("failed to parse value")
+ return
  }
- tenToEighteen := new(big.Float).SetFloat64(1e18)
- weiValue := new(big.Float).Mul(etherValue, tenToEighteen)
- value := new(big.Int)
- weiValue.Int(value)
+ token := common.HexToAddress(sponsorToken)
  payload := &shared.AddSponsorship{
  BountyIndex: sponsorBountyIndex,
  Name: sponsorName,
  ImgLink: sponsorImgLink,
  }
- sendEther(value, shared.AddSponsorshipInputKind, payload)
+ sendERC20(token, value, shared.AddSponsorshipInputKind, payload)
 }
 
 func init() {
@@ -53,6 +53,10 @@ func init() {
  &sponsorImgLink, "image", "i", "", "Sponsor image")
 
  sponsorCmd.Flags().StringVarP(
- &sponsorValue, "value", "v", "", "Value to sponsor in Ether")
+ &sponsorToken, "token", "t", "", "Address of ERC-20 token")
+ sponsorCmd.MarkFlagRequired("token")
+
+ sponsorCmd.Flags().StringVarP(
+ &sponsorValue, "value", "v", "", "Amount of tokens to sponsor")
  sponsorCmd.MarkFlagRequired("value")
 }

contract/main.go

@@ -73,6 +73,7 @@ func (c *BugBusterContract) Advance(
  ImgLink: inputPayload.ImgLink,
  Description: inputPayload.Description,
  Deadline: inputPayload.Deadline,
+ Token: inputPayload.Token,
  Sponsorships: nil,
  Exploit: nil,
  Withdrawn: false,
@@ -108,21 +109,24 @@ func (c *BugBusterContract) Advance(
  return fmt.Errorf("can't add sponsorship after deadline")
  }
 
- var etherDepositSender common.Address
- var etherDepositValue *uint256.Int
+ var erc20DepositSender common.Address
+ var erc20DepositValue *uint256.Int
 
  switch deposit := deposit.(type) {
- case *rollmelette.EtherDeposit:
- etherDepositSender = deposit.Sender
- etherDepositValue, _ = uint256.FromBig(deposit.Value)
+ case *rollmelette.ERC20Deposit:
+ if deposit.Token != bounty.Token {
+ return fmt.Errorf("wrong token: %v", bounty.Token)
+ }
+ erc20DepositSender = deposit.Sender
+ erc20DepositValue, _ = uint256.FromBig(deposit.Amount)
  default:
  return fmt.Errorf("unsupported deposit: %T", deposit)
  }
 
- sponsorship := bounty.GetSponsorship(etherDepositSender)
+ sponsorship := bounty.GetSponsorship(erc20DepositSender)
  if sponsorship != nil {
  // Add to existing sponsorship
- newValue := new(uint256.Int).Add(sponsorship.Value, etherDepositValue)
+ newValue := new(uint256.Int).Add(sponsorship.Value, erc20DepositValue)
  sponsorship.Value = newValue
  // Update profile
  sponsorship.Sponsor.Name = inputPayload.Name
@@ -131,11 +135,11 @@ func (c *BugBusterContract) Advance(
  // Create new sponsorship
  sponsorship := &shared.Sponsorship{
  Sponsor: shared.Profile{
- Address: etherDepositSender,
+ Address: erc20DepositSender,
  Name: inputPayload.Name,
  ImgLink: inputPayload.ImgLink,
  },
- Value: etherDepositValue,
+ Value: erc20DepositValue,
  }
  bounty.Sponsorships = append(bounty.Sponsorships, sponsorship)
  }
@@ -171,7 +175,7 @@ func (c *BugBusterContract) Advance(
 
  // generate voucher for each sponsor
  for _, sponsorship := range bounty.Sponsorships {
- _, err := env.EtherWithdraw(sponsorship.Sponsor.Address, sponsorship.Value.ToBig())
+ _, err := env.ERC20Withdraw(bounty.Token, sponsorship.Sponsor.Address, sponsorship.Value.ToBig())
  if err != nil {
  return fmt.Errorf("failed to withdraw: %v", err)
  }
@@ -224,15 +228,15 @@ func (c *BugBusterContract) Advance(
  if sponsor == hacker {
  continue
  }
- err := env.EtherTransfer(sponsor, hacker, sponsorship.Value.ToBig())
+ err := env.ERC20Transfer(bounty.Token, sponsor, hacker, sponsorship.Value.ToBig())
  if err != nil {
  // this should be impossible
  return fmt.Errorf("failed to transfer asset: %v", err)
  }
  }
 
  // generate voucher
- _, err := env.EtherWithdraw(hacker, accBounty.ToBig())
+ _, err := env.ERC20Withdraw(bounty.Token, hacker, accBounty.ToBig())
  if err != nil {
  return fmt.Errorf("failed to generate voucher: %v", err)
  }

frontend/src/app/bounty/[bountyId]/exploit/page.tsx

@@ -19,13 +19,15 @@ import {
 import { isNotEmpty, useForm } from "@mantine/form";
 
 import { useWaitForTransaction } from "wagmi";
+
 import { TestExploit } from "../../../../model/inputs";
 import { usePrepareSendExploit } from "../../../../hooks/bug-buster";
 import { useInputBoxAddInput } from "../../../../hooks/contracts";
 
 import { BountyParams, ConcreteBountyParams } from "../utils.tsx";
 import { useBounty } from "../../../../model/reader";
 import { FileDrop } from "../../../../components/filedrop";
+import { transactionStatus } from "../../../../utils/transactionStatus";
 
 interface FileDropTextParams {
  filename?: string;
@@ -53,21 +55,32 @@ interface SendExploitFormValues {
 const SendExploitForm: FC<ConcreteBountyParams> = ({ bountyIndex, bounty }) => {
  const [filename, setFilename] = useState<string>();
 
- const form = useForm<SendExploitFormValues>({
- initialValues: {
- name: "",
- exploit: "",
+ const initialValues: SendExploitFormValues = {
+ name: "",
+ exploit: "",
+ };
+
+ const form = useForm({
+ initialValues,
+ transformValues: (values) => {
+ return {
+ ...values,
+ exploit: btoa(values.exploit),
+ };
  },
+ validateInputOnBlur: true,
+ validateInputOnChange: true,
  validate: {
  name: isNotEmpty("An exploiter name is required"),
  },
  });
 
- const { name, imgLink, exploit } = form.values;
+ const { name, imgLink, exploit } = form.getTransformedValues();
 
  const [exploitOutput, setExploitOutput] = useState("");
+ const [exploitLoading, setExploitLoading] = useState(false);
 
- async function testExploitAsync(bountyIndex: number, exploit: string) {
+ async function testExploitAsyncAux(bountyIndex: number, exploit: string) {
  const inspectRequest: TestExploit = { bountyIndex, exploit };
  setExploitOutput("Testing...");
 
@@ -96,24 +109,40 @@ const SendExploitForm: FC<ConcreteBountyParams> = ({ bountyIndex, bounty }) => {
  }
  }
 
+ async function testExploitAsync(bountyIndex: number, exploit: string) {
+ setExploitLoading(true);
+ try {
+ await testExploitAsyncAux(bountyIndex, exploit);
+ } catch (e) {
+ if (e instanceof Error) {
+ setExploitOutput(e.message);
+ }
+ }
+ setExploitLoading(false);
+ }
+
  const testExploit = () => {
  testExploitAsync(bountyIndex, exploit);
  };
 
- const config = usePrepareSendExploit({
+ const addInputPrepare = usePrepareSendExploit({
  name,
  imgLink,
  bountyIndex,
  exploit,
  });
 
- const { data, write } = useInputBoxAddInput(config);
- const { isLoading, isSuccess } = useWaitForTransaction({
- hash: data?.hash,
+ const addInputWrite = useInputBoxAddInput(addInputPrepare.config);
+
+ const addInputWait = useWaitForTransaction({
+ hash: addInputWrite.data?.hash,
  });
 
+ const { disabled: addInputDisabled, loading: addInputLoading } =
+ transactionStatus(addInputPrepare, addInputWrite, addInputWait);
+
  return (
- <form onSubmit={form.onSubmit(() => write && write())}>
+ <form>
  <Stack w={800}>
  <Title size="h1">Submit exploit</Title>
  <Text size="lg" fw={700} c="dimmed">
@@ -147,13 +176,7 @@ const SendExploitForm: FC<ConcreteBountyParams> = ({ bountyIndex, bounty }) => {
  input: { fontFamily: "monospace" },
  }}
  placeholder="Exploit code"
- error={form.getInputProps("exploit").error}
- onChange={(e) =>
- form.setFieldValue(
- "exploit",
- btoa(e.target.value),
- )
- }
+ {...form.getInputProps("exploit")}
  />
  </Tabs.Panel>
  <Tabs.Panel value="file">
@@ -170,7 +193,7 @@ const SendExploitForm: FC<ConcreteBountyParams> = ({ bountyIndex, bounty }) => {
  .map((b) => String.fromCharCode(b))
  .join("");
 
- form.setFieldValue("exploit", btoa(str));
+ form.setFieldValue("exploit", str);
  setFilename(fileWithPath.name);
  });
  }
@@ -207,19 +230,22 @@ const SendExploitForm: FC<ConcreteBountyParams> = ({ bountyIndex, bounty }) => {
  </Paper>
  )}
  <Group justify="center" grow>
- <Button size="lg" onClick={testExploit}>
+ <Button
+ size="lg"
+ loading={exploitLoading}
+ onClick={testExploit}
+ >
  Test
  </Button>
  <Button
  size="lg"
- type="submit"
- disabled={!write || isLoading || isSuccess}
+ disabled={addInputDisabled || !form.isValid()}
+ loading={addInputLoading}
+ onClick={() =>
+ addInputWrite.write && addInputWrite.write()
+ }
  >
- {isSuccess
- ? "Submitted!"
- : isLoading
- ? "Submitting..."
- : "Submit"}
+ Submit
  </Button>
  </Group>
  </Stack>