BountyBlocks
Verifiable bounty ledger with token-agnostic payouts & privacy-preserving proofs
BountyBlocks
Created At
Winner of
Flow - Best Use of Actions & Agents on Flow 2nd place
Flow - Flow Builder Pool Prize
Prize Pool
Project Description
BountyBlocks began as an on-chain bug bounty platform and has evolved into a web3 Verifiable Bounty Ledger (VBL).
We strengthen transparency and community. With BountyBlocks:
- Sponsors prevent vulnerabilities from disrupting their products.
- Ethical hackers remediate issues for monetary rewards (e.g., USDF bounties) staying anonymous while proving capability.
- Provides a decentralized database of fixed bugs that developers can use to improve future code
Our solution is token-agnostic: sponsors fund in one asset; hackers claim in another via on-chain swaps. The VBL automates quotes, routing, slippage, records assets, rates, and proofs for audit.
Built on Flow for programmable issue management and atomic payouts, and Walrus for privacy-preserving evidence and selective disclosure, BountyBlocks delivers an end-to-end, transparent, auditable bounty workflow.
How it's Made
Before the hackathon we planned an on-chain whistleblower tool to protect the reporter’s identity and information. During the ETH workshops we completed our team and refined the idea into a Verifiable Bounty Ledger (VBL) – we even created an acronym.
The VBL fit the hackathon and the tools available. We chose Flow because its plug-and-play setup made smart contracts easier for us. We were eager to leverage Flow actions to simplify the payment process, which required implementing our smart contracts in Cadence.
We then asked how to store reports and build a simple “database” of fixed bugs that developers can learn from. Walrus was a good fit: we keep the reports there and reference them on-chain. Our thinking evolved as we organized the workflow. We first considered paying in PayPal USD, but it wasn’t directly compatible with Flow. So we added a swap step and made payouts token-agnostic: sponsors can fund in one asset, and hackers can claim in another.
Finally, we care about privacy and reputation for ethical hackers. While we didn’t ship it yet, we plan to mint NFT credentials tied to each validated bug, so hackers can prove skills without revealing identity—and audits have a clear record.
