Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tintinweb/bugbounty-companion

A BugBounty companion that checks out high-reward yielding bug bounty code-bases from Immunefi/code4rena 🙌 (use at own risk)
https://github.com/tintinweb/bugbounty-companion

bugbounty code4rena immunefi smart-contracts

Last synced: 3 months ago
JSON representation

A BugBounty companion that checks out high-reward yielding bug bounty code-bases from Immunefi/code4rena 🙌 (use at own risk)

Host: GitHub
URL: https://github.com/tintinweb/bugbounty-companion
Owner: tintinweb
License: mit
Created: 2022-05-26T14:57:48.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2024-04-15T10:59:20.000Z (10 months ago)
Last Synced: 2024-10-29T15:34:03.253Z (3 months ago)
Topics: bugbounty, code4rena, immunefi, smart-contracts
Language: Python
Homepage:
Size: 38.1 KB
Stars: 69
Watchers: 4
Forks: 5
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

README

# BugBounty Companion

^{Up your game by being more efficient than others! 🤓}

Checkout high-reward yielding bug bounty projects, run your scripts to find bugs before others do, submit reports for bounties, win! Scale your bug bounty hunting efforts.

The BugBounty companion lets you quickly check out source-code from bug bounty programs from various platforms. Currently supporting [Immunefi](https://immunefi.com/explore/) and [C4](https://code4rena.com/) 🙌

**TLDR;** clones **Immunefi/C4** Repositories filtered by the highest rewards.

^{⚠️ HACKY SCRIPT! - shell-executes stuff without checking! USE AT OWN RISK. dry-run first!}

## Supported Platforms

* [Immunefi](https://immunefi.com/explore/)

* [C4](https://code4rena.com/)

## Usage

**default output folder** is `$(pwd)/bugbounty_repos/`

### Examples

* sync with c4 website and dump results to json file
```
$ bugbounty.py code4rena sync [unique]
```

* alternatively sync with all supported websites and dump results to json file
```
$ bugbounty.py sync [unique]
```

* show unique repos in cache
```
$ bugbounty.py unique
```

* (dry-run) clone all unique repos (optionally only projects with >100_000 rewards)
```
$ bugbounty.py unique clone [maxReward=100000]
```

* (actually) clone all unique repos (optionally only projects with >100_000 rewards)
```
$ bugbounty.py unique clone no-dryrun [maxReward=100000]
```

#### Demo

```
tintin@takeshii:~/workspace/solidity/bugbounty-companion|main⚡
⇒ python3 bugbounty.py unique minReward=1000
⚠️ You are about to run this script on ALL bug bounty platforms (currently: C4 AND Immunefi)!
Continue? [yN]y
1000
OpenSea Seaport contest : $$ 1000000
➡️ https://github.com/code-423n4/2022-05-opensea-seaport
Notional x Index Coop : $$ 75000
➡️ https://github.com/code-423n4/2022-06-notional-coop
Backd Tokenomics contest : $$ 75000
➡️ https://github.com/code-423n4/2022-05-backd
veToken Finance contest : $$ 75000
➡️ https://github.com/code-423n4/2022-05-vetoken
Velodrome Finance contest : $$ 75000
➡️ https://github.com/code-423n4/2022-05-velodrome
ChainSafe contest : $$ 70000
➡️ https://github.com/code-423n4/2022-05-chainsafe
=============================
total bounties: 6

min_reward: 1000
- selected bounties: 6
- selected repos: 6
wormhole/ : $$ 10000000
➡️ https://github.com/certusone/wormhole
makerdao/ : $$ 10000000
➡️ https://github.com/dapphub/ds-weth
➡️ https://github.com/makerdao/arbitrum-dai-bridge
➡️ https://github.com/makerdao/clipper-mom
➡️ https://github.com/makerdao/dss
➡️ https://github.com/makerdao/dss-auto-line
➡️ https://github.com/makerdao/dss-cdp-manager
➡️ https://github.com/makerdao/dss-chain-log
➡️ https://github.com/makerdao/dss-exec-lib
➡️ https://github.com/makerdao/dss-gem-joins
➡️ https://github.com/makerdao/dss-interfaces
➡️ https://github.com/makerdao/dss-proxy-actions
➡️ https://github.com/makerdao/dss-psm
➡️ https://github.com/makerdao/dss-vest
➡️ https://github.com/makerdao/esm
➡️ https://github.com/makerdao/exchange-callees
➡️ https://github.com/makerdao/ilk-registry
➡️ https://github.com/makerdao/median
➡️ https://github.com/makerdao/optimism-dai-bridge
➡️ https://github.com/makerdao/osm
aurora/ : $$ 6000000
➡️ https://github.com/aurora-is-near/aurora-engine
➡️ https://github.com/aurora-is-near/near-erc20-connector
➡️ https://github.com/aurora-is-near/rainbow-bridge
➡️ https://github.com/aurora-is-near/rainbow-token-connector
➡️ https://github.com/aurora-is-near/sputnikvm
➡️ https://github.com/near-daos/sputnik-dao-contract
chain/ : $$ 5000000
➡️ https://github.com/chain/chain-token
➡️ https://github.com/chain/governance
➡️ https://github.com/chain/staking
gmx/ : $$ 5000000
➡️ https://github.com/gmx-io/gmx-contracts
olympus/ : $$ 3333333
➡️ https://github.com/OlympusDAO/olympus-contracts
thegraph/ : $$ 2500000
➡️ https://github.com/graphprotocol/agora
➡️ https://github.com/graphprotocol/graph-node
➡️ https://github.com/graphprotocol/indexer
balancer/ : $$ 2400000
➡️ https://github.com/balancer-labs/balancer-v2-monorepo
tribedao/ : $$ 2200000
➡️ https://github.com/Rari-Capital/compound-protocol
➡️ https://github.com/fei-protocol/fei-protocol-core
zksync/ : $$ 2100000
➡️ https://github.com/matter-labs/zksync
optimism/ : $$ 2000042
➡️ https://github.com/ethereum-optimism/optimism
➡️ https://github.com/ethereum/devp2p
lidoonpolygon/ : $$ 2000000
➡️ https://github.com/Shard-Labs/PoLido
zodiac/ : $$ 2000000
➡️ https://github.com/gnosis/zodiac
multichain/ : $$ 2000000
➡️ https://github.com/anyswap/Anyswap-Audit
celer/ : $$ 2000000
➡️ https://github.com/celer-network/sgn-v2-contracts
polygon/ : $$ 2000000
➡️ https://github.com/fx-portal/contracts
➡️ https://github.com/maticnetwork/contracts
➡️ https://github.com/maticnetwork/genesis-contracts
➡️ https://github.com/maticnetwork/pos-portal
arbitrum/ : $$ 2000000
➡️ https://github.com/OffchainLabs/arb-os
➡️ https://github.com/OffchainLabs/arbitrum
...
=============================
total bounties: 288

min_reward: 1000
- selected bounties: 214
- selected repos: 365
```

### I don't know what to do?!

^{⚠️ PSA: Reminder, this script is an ugly hack but it works :D USE AT OWN RISK.}

```
$ bugbounty.py sync unique # 1) download bounty info and cache it; filter unique repos
$ bugbounty.py unique clone # 2) dry-run clone - dblcheck if this is what you do
$ bugbounty.py unique clone no-dryrun # 3) actually checkout all the repos to $(pwd)/bugbounty_repos/
```

## Cool, but when Lambo 🏎️?

* Check for similar issues in all code-bases
* Run your tools, code-smell detectors
* e.g. [semgrep](https://semgrep.dev/) - semgrep now supports solidity! write patterns, find bugs, at scale
* Submit Bugs for Bounties
* 👉 Lambo 🏎️ $$ 🥳🥳

# Donate

Got rich? Consider giving back by supporting the eth security community and [my projects](https://github.com/sponsors/tintinweb) ❤️ 🙏

^{Be a Hero, tip a 🍺 🙂 ⟶ Ƀ: 1AZMeGVfCBbYwVYyG9s79pJDyocTZgiApa | Ξth: 0x438B38E30eF117C15fBfF833f9C2c70182925815}