[Tour de SOL] Stage 2 - Details

Introductory Note

This is a retrospective post collating all the various discussions about Stage 2 of Tour de SOL as it’s already been well underway for several weeks now. Overall there are only some minor changes since Stage 1. Which address:

  • How we deal with bugs identified, however aren’t assigned to a particular participant
  • How we reward bugs identified accidentally by individuals
  • Classification and compensation for bugs (explained more below)

Full details on Stage 2 parameters below.

STAGE 2 - DETAILS

  • Start Date/Time: March 1st, 2020
  • Estimated Duration: 4 weeks
  • Malicious behaviour will be incentivised
  • We will not be running Ramp TPS (pushing transactions through the network) in this stage. With recent performance metrics with 20 to 40 3rd party nodes we managed to achieve an average of ~16,000 tx/s (peaking at ~66,000 tx/s) and ~9000 tx/s (peaking at ~60,000 tx/s) respectively, we’re relatively satisfied with that for now. So the focus for now is on network security, stability and refinement.

Future Stages

  • Additional details will be announced progressively depending on the progress made on the previous stages
  • Within each stage the allowable attack surface will vary depending on engineering goals and any new features enabled with each new release. Similarly, metrics upon which participants will be measured against will vary to suit (i.e. performance may be enabled in future stages with Ramp TPS or some other method, and total stake accumulated would become a metric upon which compensation is tied).
  • Our intention at this point in time is for each Stage to run for up to approximately 4 weeks.
  • Future stages will not start until the previous stage is complete
  • Note that we reserve the right to change the schedule/duration if required, but we’ll endeavour to provide clear and ample notification if so.

Attack Surface

  • Each Stage will be configured to behave exactly like the next-in-line upgrade for the Mainnet Beta network at each respective point in time. Participants can expect the attack surface to grow over time as more features are enabled. We’ll be starting with the v1.0.X release line in Stage 2.

Compensation

Compensation slightly reworked since Stage 1, please review the following section carefully:

Original Structure in Stage 1

  1. Participation: This will be measured by multiple factors, including but not limited to if you’ve joined the network, are actively staked, are responsive to issues (i.e. don’t become delinquent, or actively work to resolve the issue if you become delinquent), implement patches/upgrades within a reasonable timeframe and remain so until the end of the stage.
  • Compensation Amount: 3,500 SOL per participant

No Change to the above, remains the same in Stage 2

Original Structure in Stage 1

  1. Attacks/Identified Issues*: We’ll be incentivising participants for conducting network attacks, and identifying bugs within the network. Attacks/Bugs will be separated into two separate classes :
  • Critical: Attacks/Issues that take down the network or successfully execute an economic attack. Issues that simply manifest over time due to failure of our software - without deliberate exploitation - will be excluded.
    • Compensation Amount: 20,000 SOL each
  • Other: Any other attacks/issues that are identified but don’t fall within the ‘Critical’ category.
    • Compensation Amount: 3,000 SOL each
  • The successful attacker/bug-finder must file a github issue, describing the attack to be eligible (amongst registration etc.) for the compensation. The attack is off-limits and not to be attempted again until it has been resolved.

This section has now been revised to the following:

  1. Security Bug Bounty: We’ll be incentivising participants for identifying security issues within the network. This has been renamed because the previous title gave the impression to participants that an attack had to be successfully executed to be eligible for compensation. This is not the case, participants that reveal a security attack vector to the team, without executing the attack will still be eligibile. Securty Bugs will still be classified into two separate classes:
  • Critical: Security bugs that take down the network or successfully execute an economic attack. Issues that simply manifest over time due to failure of our software - without deliberate exploitation - will be excluded.
    • Compensation Amount: 20,000 SOL each
  • Other: Any other security bugs that are identified but don’t fall within the ‘Critical’ category.
    • Compensation Amount: 3,000 SOL each
  • The participant submitting the security bug bounty still must file a github issue, describing the attaack to be eligible (amongst registration etc.) for the compensation. Only if the attack was executed/demo’d then it is to remain off-limites and not attempted again until it has been resolved.

In addition, taking on board the experiences from Stage 1, we’d like to also include the following:

  1. Compensation for Accidental Bug Identification - Bugs that are accidentally identified by any individual participant during Tour de SOL will still be eligible for compensation. This was retrospectively implemented into Stage 1 as well (congratulations to Everstake and Node-A-Team)

    • Compensation Amount: 3,000 SOL each

    The introduction of this is not to discount the amount of effort required to deliberately identify exploits, but to encourage and incentivize validators for experimenting and exploring the code.

  2. Equal Distribution of Compensation for Non-Assigned Bugs Identified - As a small gesture of recognition, all validators that actively participated in Stage 1 will be compensated with additional tokens on top of the the base amount, that will be calculated determined by the # of bugs successfully identified during Stage 1. This will be calculated as follows:

    Critical Bugs

    • ( total # critical bugs identified x Compensation amount for bug ) / total validators = additional compensation per Validator

    Non-Critical Bugs

    • ( total non-critical bugs identified x compensation amount for bug ) / total validators = additional compensation per Validator

Communication Channels for the Event:

  • Primary Channel: We’ve set up a channel titled #tourdesol-announcements which you can join to stay up to date on any major updates related to the events
  • Other channels we’ll also be re-distributing any major announcements via:
    • WeChat: message Dominic#6192 on discord to for an invite
    • E-mail: Your registered email
    • Telegram

Final Words

As always feel free to reach out if you have any queries or concerns. A friendly reminder that participants need to complete registration for us to be able to distribute compensation. If you have issues on that front please also reach out.

1 Like