Bounty: Break the Data Transfer Verification Algorithm
At FileFileGo, we take the security of the system seriously. As part of our commitment to ensuring the safety and integrity of our project, we are launching the "Break the Data Transfer Verification Algorithm" bounty program. This program is designed to encourage security researchers and enthusiasts to help us identify any potential vulnerabilities in the data transfer verification algorithm of our system.
Objective:
The objective of this bounty program is to identify any potential security vulnerabilities that may exist in the data transfer verification algorithm of our blockchain. We believe that this program will help us to improve the security of the system by identifying and addressing any weaknesses in this critical component of our system.
The bounty program covers the data transfer verification algorithm used in our golang implementation ( https://github.com/filefilego/filefilego ). The data transfer verification algorithm consists of a set of cryptographic functions that can prove that a given file was transferred successfully from an untrusted node to another untrusted node. The algorithm must take into account that both nodes are untrusted and ensure the authenticity and integrity of the data transferred between them. Participants are encouraged to test the algorithm under different scenarios and try to identify any potential weaknesses that could be exploited by attackers.
Rewards:
Participants who are able to identify a previously unknown vulnerability in our data transfer verification algorithm will be eligible for a reward of 1,000,000 FFG coins.
What We Want:
When a storage provider node sends a file to another node, it performs data transformation and encryption. When the file is downloaded by the downloader node, it is not in its original format and it will be considered a corrupt file. The downloader has to ask the data verifier for a key and some other metadata needed to restore the file to its original format by also providing a signature of the downloaded file. The attack vector we want to examine in this bounty is how to restore the file to its original format without asking the verifier for the decryption/restoration metadata. Specifically, we want participants to try to bypass the data transfer verification algorithm and identify any methods that could be used to restore the file to its original format without the decryption/restoration metadata. We believe that this information will help us to improve the security of the system and better protect our incentive mechanism.
A partially encrypted and transformed file has been provided, and the objective is to generate the output file while also producing a file hash of "4cde7d689df28904ac4a3f667e3bfcd00a07605f". We are using "sha1" file hashing algorithm provided by the "crypto/sha1" package in the Go programming language.
The following packages are used for the data transfer verification:
file_utils.go
crypto.go
data_verification.go
Input File: Download
Target SHA1 Hash: 4cde7d689df28904ac4a3f667e3bfcd00a07605f
Total File Segments: 1024
File Encryption Percentage: 10%
Hints: The available encryption methods are AES256 and ChaCha20. We will not disclose which one was used as we want to replicate the real scenario where the downloader has no other data except a the downloaded file.
Please note that we are not interested in finding a hash collision, but to restore to the original version of the file. We basically want to see if an attacker can restore the original file without paying for the fee.
We believe that this bounty program will help us to identify and address any potential vulnerabilities in the data transfer verification algorithm of our platform. We appreciate the efforts of all participants and look forward to receiving their submissions. By working together, we can ensure the safety and security of our users' data and maintain the trust of our community.
Please join our discord ( https://discord.gg/qhKkKZ9 ) server or submit your queries to github issues in our repository https://github.com/filefilego/filefilego