The Trustless, Zero-Knowledge Bug Bounty Platform on Solana
GhostBounty is a decentralized platform that revolutionizes how smart contract vulnerabilities are reported and rewarded. By leveraging Solana's high-speed network and a novel commit-reveal architectural pattern, GhostBounty eliminates front-running and ensures researchers get paid fairly for their discoveries.
In traditional Web3 bug bounties, a critical issue is front-running: a researcher submits a vulnerability, and a malicious actor (or even the protocol itself) steals the exploit details before the researcher is rewarded.
GhostBounty solves this by using a Commit-Reveal Scheme:
- You commit the hash of your report anonymously.
- The protocol locks the bounty.
- The protocol patches the bug.
- You reveal the detailed report.
- You get paid automatically.
- Zero-Knowledge Submissions: Exploit details are hashed off-chain with a cryptographic salt. Only the SHA-256 hash is ever stored on the Solana blockchain.
- Ephemeral Anonymity: Researchers use disposable, single-use keypairs to submit and claim bounties so their main wallets are never exposed to retaliation.
- Trustless Escrow: Bounty pools are locked in a PDA (Program Derived Address). The protocol owner cannot withdraw the funds once a valid hash commitment is accepted.
- Lightning Fast Audits: Leveraging Solana means submission, verification, and payment happen practically instantly with fractions of a cent in transaction fees.
- Brutalist UI: A beautiful, stripped-back Next.js 14 frontend using
Framer MotionandTailwind v4that feels like a professional hacker toolkit.
┌─────────────────────────────────────────────────────────────────────────────┐
│ GhostBounty │
├──────────────────────┬───────────────────────┬──────────────────────────────┤
│ Target Protocol │ Bug Bounty │ Researcher │
│ Dashboard │ Radar UI │ Dashboard │
│ (Next.js 14) │ (Next.js 14) │ (Next.js 14) │
└──────────┬───────────┴──────────┬────────────┴─────────────┬────────────────┘
│ │ │
└──────────────────────┼──────────────────────────┘
│
┌───────▼────────┐
│ Context State │
│ (WalletContext)│
└───────┬────────┘
│
┌──────────────────────┼──────────────────────┐
│ │ │
┌────▼─────┐ ┌───────▼────────┐ ┌────▼─────┐
│ Phantom/ │ │ Solana dApp │ │ Anchor │
│ Backpack │ │ WalletAdapter │ │ Client │
└────┬─────┘ └───────┬────────┘ └────┬─────┘
│ │ │
└──────────────────────┼──────────────────────┘
│
┌──────────────▼──────────────┐
│ Solana Testnet/Mainnet │
│ RPC & Confirmations │
└──────────────┬──────────────┘
│
┌──────────────▼──────────────┐
│ Smart Contracts (Rust) │
├─────────────────────────────┤
│ ghostbounty_backend │
│ - create_bounty │
│ - submit_report │
│ - mark_under_review │
│ - mark_patched │
│ - reveal_report │
│ - claim_payment │
├─────────────────────────────┤
│ Data / Escrow PDAs │
│ - Bounty Vault (SOL) │
│ - Report State (Hashes) │
└─────────────────────────────┘
GhostBounty’s architecture is divided into three distinct, decoupled layers that prioritize security and high speeds:
-
User Interfaces (Next.js 14)
- Target Protocol Dashboard: Allows projects to deposit SOL into escrow and list smart contracts that need auditing.
- Bounty Radar UI: A unified explorer mapping out active bounties across the network for researchers to hunt.
- Researcher Dashboard: An isolated, private area where researchers generate their ephemeral keypairs, submit hash commitments, and eventually reveal exploit details to claim their rewards.
-
State & Integration (TypeScript & Wallet Adapter)
- WalletContext: Manages user wallet sessions gracefully via
@solana/wallet-adapter-react. - Anchor Client: Facilitates serialized instruction calls (RPCs) from the frontend directly to the Rust programs, parsing IDLs seamlessly.
- WalletContext: Manages user wallet sessions gracefully via
-
Smart Contracts (Solana/Anchor)
ghostbounty_backend: The primary executable logic program living on Solana. It strictly enforces the state-machine flow of the commit-reveal bounty lifecycle.- Program Derived Addresses (PDAs): We use PDAs extensively to represent state. The
BountyPDA holds the locked reward SOL safely out of reach until verification. TheReportPDA stores anonymous commitments (SHA-256 hashes generated off-chain) allowing researchers to safely claim discovery of a bug before they submit the precise mechanics of the hack.
GhostBounty consists of two main components:
- Smart Contracts (Backend): Built with Rust and the Anchor framework on the Solana blockchain. It manages the state machine of the bounty lifecycle and securely holds funds in a PDA escrow.
- Web App (Frontend): A modern, brutalist-inspired UI built with Next.js 16, React 19, Tailwind CSS v4, and Framer Motion, integrating seamlessly with the Solana Wallet Adapter.
For a technical deep dive into the system properties and anonymous reporting implementation, please see the Architecture Document.
- Blockchain: Solana, Anchor Framework (Rust)
- Frontend: Next.js (App Router), React, TypeScript
- Styling & Animation: Tailwind CSS, Framer Motion
- Web3 Integration:
@solana/web3.js,@solana/wallet-adapter
GhostBounty enforces a strict, cryptographically secure state machine for every bounty using a Commit-Reveal Scheme:
stateDiagram-v2
[*] --> Open: create_bounty
Open --> Reported: submit_report
Reported --> UnderReview: mark_under_review
UnderReview --> Patched: mark_patched
Patched --> Paid: claim_payment (after reveal)
Paid --> [*]
note right of Reported
Commitment stored
Identity hidden
end note
note right of Patched
Reveal enabled
Exploit can be disclosed
end note
-
Open(Create Bounty)- A protocol owner creates a bounty, specifying the target contract.
- The SOL reward is transferred into a secure Program Derived Address (PDA) escrow.
-
Reported(Submit Report)- A researcher finds a vulnerability and creates an ephemeral keypair.
- Instead of submitting the raw exploit, the researcher generates a SHA-256 hash (commitment) of
exploit_details+salt. - The hash is submitted on-chain using the ephemeral keypair (never linked to a real wallet).
-
UnderReview(Acknowledge)- The protocol owner detects the commitment and transitions the state to under review while they investigate off-chain.
-
Patched(Fix & Verify)- The protocol owner fixes the vulnerability on their end and marks the bounty as patched.
-
Reveal(Disclose)- The researcher submits the actual preimage (
exploit_detailsandsalt). - The smart contract verifies that
hash(preimage) == stored_commitment. - Exploit details are explicitly revealed out to the protocol.
- The researcher submits the actual preimage (
-
Paid(Claim Payment)- Once the reveal is confirmed, the researcher can gracefully claim the escrowed SOL seamlessly into their ephemeral keypair.
- Node.js (v20+)
- Rust & Cargo
- Solana CLI
- Anchor CLI
git clone https://github.com/iamomm-hack/GhostBounty.git
cd ghostbountyOpen a new terminal and start a local Solana cluster:
solana-test-validatorNavigate to the backend directory, build the Anchor program, and deploy it to your local cluster:
cd backend
anchor build
# Make sure to update your program ID based on the new keypair
anchor deployNavigate to the frontend directory, install dependencies, and start the development server:
cd ../frontend
npm install
npm run devOpen http://localhost:3000 with your browser to explore the GhostBounty dashboard.
The core Anchor program exposes the following instructions (mapped to the states above):
create_bounty: Initializes a new bounty and funds the escrow.submit_report: Stores the SHA-256 commitment of the vulnerability.mark_under_review: Admin action to acknowledge the report.mark_patched: Admin action indicating the vulnerability is fixed.reveal_report: Researcher reveals the cleartext exploit and salt.claim_payment: Releases the escrowed SOL to the researcher's wallet.
This project is licensed under the MIT License - see the LICENSE file for details.