Bug Bounties Are Broken
Most bug bounty programs work like this: find a vulnerability, write a report, wait 3 months, argue about severity, maybe get paid in fiat after signing an NDA. The payout has no connection to the infrastructure you used to find the bug. A researcher running Burp Suite on a $3,000 MacBook Pro gets the same reward as someone who reverse-engineered the protocol on a 2002 PowerBook G4.
RustChain's bounty system works differently. Bounties are GitHub issues denominated in RTC tokens. Security researchers get paid from a community fund with a transparent cap. And if you happen to mine RTC on vintage hardware while you're researching -- your PowerBook G4 earns 2.5x what a modern laptop earns.
This is not a metaphor. We literally pay more for older computers.
GitHub-Native Bounties in RTC
Every bounty is a GitHub issue on Scottcjn/rustchain-bounties. The issue title describes the target. The body specifies the reward in RTC. The label tracks status. When someone submits a valid finding, they get paid in RTC to their miner wallet.
No portal. No signup. No intermediary taking 20%. Open a GitHub issue, read the scope, do the work, submit a PR or write-up, get tokens.
The reference rate is 1 RTC = $0.10 USD. So a 200 RTC bounty is a $20 bounty. That's modest by HackerOne standards -- but the bounties are designed to be accessible to independent researchers, not to attract corporate red teams billing $500/hour. And the tokens appreciate if the network grows.
900 RTC in Active Red Team Bounties
Right now there are 6 active security bounties totaling 900 RTC ($90 at reference rate):
| Bounty | Target | Reward | Difficulty |
|---|---|---|---|
| Ledger Integrity | Forge or tamper with transaction history | 200 RTC | Hard |
| Consensus Attacks | Break RIP-200 round-robin, forge attestations | 200 RTC | Hard |
| Epoch Settlement | Manipulate reward calculation or distribution | 150 RTC | Medium |
| Pending Transfers | Exploit the pending transfer queue | 150 RTC | Medium |
| API Auth | Bypass admin authentication or escalate privileges | 100 RTC | Medium |
| Ergo Anchor | Forge or replay Ergo blockchain anchors | 100 RTC | Medium |
These aren't theoretical attack surfaces. Every one of these was scoped after a real security audit.
The BuilderFred Audit
In February 2026, a researcher named BuilderFred ran a comprehensive security audit against the RustChain node. He found 6 vulnerabilities. All 6 were legitimate. All 6 were fixed. He was paid 150 RTC.
Here's what he found:
1. VM Fingerprint Bypass -- The server trusted self-reported "passed": true for hardware checks. An attacker could submit {"anti_emulation": {"passed": true}} without any evidence and pass validation. Fix: server now requires raw evidence data and validates it independently.
2. Antiquity Spoofing -- A modern CPU could claim to be a G4 PowerBook and get the 2.5x multiplier. Fix: cross-validate SIMD feature sets. Real G4s report AltiVec capabilities that x86 CPUs physically cannot produce.
3. Mock Signature Mode -- Testnet flags TESTNET_ALLOW_MOCK_SIG and TESTNET_ALLOW_INLINE_PUBKEY were still enabled, allowing anyone to forge transaction signatures. Fix: both flags disabled in production.
4. Inline PubKey Hijack -- Related to #3. With inline pubkeys enabled, an attacker could bind any wallet address without proving key ownership. Fix: disabled.
5. SQL Schema Mismatch -- Field naming inconsistency between miner clients (model, arch) and server expectations (device_model, device_arch) caused all x86 miners to hash to the same hardware ID. Fix: accept both naming conventions and include MAC addresses in the hardware hash.
6. Hardware Binding Bypass -- Without MAC addresses in the hardware ID computation, different physical machines with the same CPU model produced identical IDs. Fix: include IP and MAC addresses in the SHA-256 hardware hash.
The 150 RTC payment was the first bounty payout on the network. It proved two things: the audit process works, and independent researchers can get paid without bureaucracy.
The Anti-Cheat: 6 Hardware Fingerprint Checks
The bounty system is backed by Proof of Antiquity mining, which uses hardware fingerprinting to ensure one real CPU gets one vote. This matters for bounties because the community fund that pays bounties is replenished by mining rewards -- and mining rewards can't be gamed by VM farms.
All 6 checks must pass for a miner to earn rewards:
| Check | What It Measures | Why VMs Fail |
|---|---|---|
| Clock-Skew & Oscillator Drift | Crystal oscillator imperfections (500-5000 samples) | VMs use host clock, no real oscillator |
| Cache Timing Fingerprint | L1/L2/L3 latency harmonics across buffer sizes | Hypervisor virtualizes cache, too uniform |
| SIMD Unit Identity | AltiVec/SSE/AVX pipeline timing asymmetry | Emulators flatten all instructions to same latency |
| Thermal Drift Entropy | Heat curve samples across cold/warm/saturated/relaxed | Virtual CPUs have no thermal physics |
| Instruction Path Jitter | Cycle-level jitter across integer, branch, FPU, load/store | Hypervisor interrupt injection creates periodic artifacts |
| Anti-Emulation Detection | DMI vendor strings, hypervisor CPU flag, virtual SCSI | QEMU/VMware/VirtualBox leave filesystem traces |
A detected VM gets a weight of 0.000000001x -- one billionth of a real CPU. Not zero (we want them in logs for monitoring), but effectively zero for rewards.
Here's what the server-side validation looks like:
def validate_fingerprint_data(fingerprint: dict) -> tuple:
"""Server-side validation -- requires raw evidence, not self-reports."""
if not fingerprint:
return False, "no_fingerprint_data"
checks = fingerprint.get("checks", {})
# Anti-emulation: reject if VM indicators present
anti_emu = checks.get("anti_emulation", {})
if anti_emu.get("passed") == False:
return False, f"vm_detected:{anti_emu.get('data', {}).get('vm_indicators', [])}"
# Clock drift: real hardware has measurable variance
clock = checks.get("clock_drift", {})
cv = clock.get("data", {}).get("cv", 0)
if cv < 0.0001:
return False, "timing_too_uniform"
return True, "valid"
After BuilderFred's audit, the critical change was: the server no longer trusts "passed": true. It inspects the raw vm_indicators array, the cv coefficient of variation, and the SIMD feature bitmask. You can't lie about the results -- you have to provide the evidence.
Proof of Antiquity: Vintage Hardware Earns More
This is the part that makes people do a double take. RustChain's mining rewards are weighted by hardware age:
| Architecture | Base Multiplier | Example Hardware |
|---|---|---|
| PowerPC G4 | 2.5x | PowerBook G4 (2002), Power Mac G4 MDD |
| PowerPC G5 | 2.0x | Power Mac G5 Dual (2005) |
| IBM POWER8 | 2.0x | Power System S824 (2014) |
| Retro x86 | 1.4x | Pentium 4, Core 2 Duo |
| Apple Silicon | 1.2x | Mac Mini M2 |
| Modern x86-64 | 1.0x | Ryzen, Intel 12th+ gen |
The multiplier decays over time: aged = 1.0 + (base - 1.0) * (1 - 0.15 * chain_age_years). After ~16.67 years, all architectures converge to 1.0x. The bonus rewards the act of keeping old hardware alive, not a permanent advantage.
Why does this matter for bounties? Because the community fund that pays bounties comes from the same token supply that rewards miners. The economics are circular: miners earn RTC, the community fund holds RTC, researchers earn RTC from bounties, researchers can mine more RTC on the same hardware they used for research. A security researcher with a PowerBook G4 on their desk is simultaneously mining at 2.5x and hunting for vulnerabilities.
Fair Launch Tokenomics
The bounty pool isn't backed by VC money or a token sale. It's backed by a predictable, transparent token supply:
| Parameter | Value |
|---|---|
| Total Supply | 8,388,608 RTC (2^23) |
| Premine | 6% (founder allocations) |
| Mineable | 94% |
| Community Fund | ~96,673 RTC |
| Epoch Reward | 1.5 RTC per 10-minute epoch |
| Reference Rate | 1 RTC = $0.10 USD |
No ICO. No presale. No token generation event. The community fund was allocated at genesis and is drawn down through bounties and development grants. When a 200 RTC bounty is paid, it comes directly from the community fund -- visible on-chain, auditable by anyone.
The total supply is a power of 2 because binary precision matters when your ledger uses integer arithmetic (amount_i64) to avoid floating-point rounding errors. Every fraction of an RTC is accounted for exactly.
Getting Started
As a miner:
# Install the miner CLI
pip install clawrtc
# Create a wallet
clawrtc wallet create
# Start mining (your hardware gets fingerprinted and earns accordingly)
clawrtc mine
# Check your balance
clawrtc wallet show
If your machine passes all 6 fingerprint checks, it earns RTC every epoch. A modern x86 laptop earns 1.0x. A PowerBook G4 earns 2.5x. Dust off whatever vintage hardware you have -- it's worth more on this network than on eBay.
As a security researcher:
- Browse open bounties at Scottcjn/rustchain-bounties
- Read the scope and reward for each issue
- Test against the live network (node health:
curl -sk https://rustchain.org/health) - Submit findings as a GitHub issue or PR
- Get paid in RTC to your miner wallet
As a builder:
The community fund supports development grants beyond security bounties. If you're building tooling, integrations, or documentation for the ecosystem, open an issue describing the work and proposed RTC amount.
Links
- RustChain: rustchain.org
- Bounties: Scottcjn/rustchain-bounties
- Source: Scottcjn/Rustchain
- ClawRTC on PyPI: pypi.org/project/clawrtc
- BoTTube: bottube.ai
- Block Explorer: rustchain.org
-
Node Health:
curl -sk https://rustchain.org/health -
Active Miners:
curl -sk https://rustchain.org/api/miners
Other articles in this series:
- I Built a Video Platform Where AI Agents Are the Creators
- The Agent Internet Has 54,000+ Users
- Proof of Antiquity: A Blockchain That Rewards Vintage Hardware
- Your AI Agent Can't Talk to Other Agents. Beacon Fixes That.
- How We Made "One CPU, One Vote" Actually Work
- I Run LLMs on a 768GB IBM POWER8 Server
Built by Elyan Labs in Louisiana. The vintage machines mine. The researchers break things. And a PowerBook G4 from 2002 earns more than a Ryzen 9 from 2025.
Top comments (0)