Why Our Bounty System Pays You More for Using a PowerBook G4

Source: Dev.to

RustChain Bounty System Overview

Most bug‑bounty programs work like this:

1. Find a vulnerability.
2. Write a report.
3. Wait ~3 months, argue about severity, and maybe get paid in fiat after signing an NDA.

The payout has no connection to the infrastructure you used to find the bug.
A researcher running Burp Suite on a $3,000 MacBook Pro gets the same reward as someone who reverse‑engineered the protocol on a 2002 PowerBook G4.

How RustChain differs

• Bounties are GitHub issues denominated in RTC tokens.
• Researchers are paid from a transparent community fund with a capped budget.
• Mining on vintage hardware earns more – a PowerBook G4 earns 2.5× what a modern laptop earns.
• No portal, no sign‑up, no intermediary taking a cut.

This is not a metaphor. We literally pay more for older computers.

How to Claim a Bounty

Reference rate: 1 RTC = $0.10 USD.
A 200 RTC bounty equals $20 – modest by HackerOne standards, but designed for independent researchers rather than corporate red teams. Tokens can appreciate as the network grows.

Current Active Bounties

Total: 6 active bounties → 900 RTC (≈ $90 at the reference rate).

These are real, scoped attack surfaces derived from a security audit.

Case Study: BuilderFred (Feb 2026)

A researcher named BuilderFred performed a comprehensive audit of the RustChain node, discovered 6 valid vulnerabilities, and was paid 150 RTC (the first bounty payout on the network).

Findings

1. VM Fingerprint Bypass – Server trusted self‑reported "passed": true for hardware checks.
   Fix: Server now requires raw evidence data and validates it independently.

2. Antiquity Spoofing – Modern CPUs could claim to be a G4 PowerBook and get the 2.5× multiplier.
   Fix: Cross‑validate SIMD feature sets; real G4s report AltiVec capabilities that x86 CPUs cannot produce.

3. Mock Signature Mode – Testnet flags TESTNET_ALLOW_MOCK_SIG and TESTNET_ALLOW_INLINE_PUBKEY were still enabled, allowing forged signatures.
   Fix: Both flags disabled in production.

4. Inline PubKey Hijack – With inline pubkeys enabled, an attacker could bind any wallet address without proving key ownership.
   Fix: Disabled.

5. SQL Schema Mismatch – Inconsistent field naming (model, arch vs. device_model, device_arch) caused all x86 miners to hash to the same hardware ID.
   Fix: Accept both naming conventions and include MAC addresses in the hardware hash.

6. Hardware Binding Bypass – Without MAC addresses in the hardware‑ID computation, different machines with the same CPU model produced identical IDs.
   Fix: Include IP and MAC addresses in the SHA‑256 hardware hash.

The payout demonstrated that the audit process works and that independent researchers can be paid without bureaucracy.

Proof‑of‑Antiquity Mining & VM Resistance

Bounties are funded by Proof‑of‑Antiquity mining, which uses hardware fingerprinting to ensure one real CPU = one vote. Mining rewards cannot be gamed by VM farms.

Required Checks (all must pass for a miner to earn rewards)

A detected VM receives a weight of 0.000000001× (one‑billionth) of a real CPU – effectively zero for rewards, though still logged for monitoring.

Server‑Side Validation Example

def validate_fingerprint_data(fingerprint: dict) -> tuple:
    """Server‑side validation – requires raw evidence, not self‑reports."""
    if not fingerprint:
        return False, "no_fingerprint_data"

    checks = fingerprint.get("checks", {})

    # Anti‑emulation: reject if VM indicators present
    anti_emu = checks.get("anti_emulation", {})
    if anti_emu.get("passed") == False:
        return False, f"vm_detected:{anti_emu.get('data', {}).get('vm_indicators', [])}"

    # Clock drift: real hardware has measurable variance
    clock = checks.get("clock_drift", {})
    cv = clock.get("data", {}).get("cv", 0)
    if cv < 0.0001:
        return False, "timing_too_uniform"

    return True, "valid"

After BuilderFred’s audit, the critical change was that the server no longer trusts self‑reported data; it now validates raw fingerprint evidence.

RustChain Mining Rewards

The rewards are weighted by hardware age:

The multiplier decays over time:

aged = 1.0 + (base - 1.0) * (1 - 0.15 * chain_age_years)

After ~16.67 years all architectures converge to 1.0×. The bonus rewards the act of keeping old hardware alive, not a permanent advantage.

Why It Matters for Bounties

The community fund that pays bounties comes from the same token supply that rewards miners. The economics are circular:

• Miners earn RTC.
• The community fund holds RTC.
• Researchers earn RTC from bounties.
• Researchers can mine more RTC on the same hardware they used for research.

A security researcher with a PowerBook G4 is simultaneously mining at 2.5× and hunting for vulnerabilities.

Token Supply & Economics

No ICO. No presale. No token generation event.
The community fund was allocated at genesis and is drawn down through bounties and development grants. When a 200 RTC bounty is paid, it comes directly from the fund – visible on‑chain and auditable by anyone.

The total supply is a power of two because binary precision matters when the ledger uses integer arithmetic (amount_i64) to avoid floating‑point rounding errors. Every fraction of an RTC is accounted for exactly.

Getting Started as a Miner

# Install the miner CLI
pip install clawrtc

# Create a wallet
clawrtc wallet create

# Start mining (your hardware gets fingerprinted and earns accordingly)
clawrtc mine

# Check your balance
clawrtc wallet show

If your machine passes all 6 fingerprint checks, it earns RTC every epoch:

• Modern x86 laptop → 1.0×
• PowerBook G4 → 2.5×

Dust off whatever vintage hardware you have – it’s worth more on this network than on eBay.

As a Security Researcher

1. Browse open bounties: Scottcjn/rustchain-bounties

2. Read the scope and reward for each issue.

3. Test against the live network:

   curl -sk https://rustchain.org/health

4. Submit findings as a GitHub issue or PR.

5. Get paid in RTC to your miner wallet.

As a Builder

The community fund also supports development grants beyond security bounties. If you’re building tooling, integrations, or documentation for the ecosystem:

1. Open an issue describing the work and proposed RTC amount.
2. Work with the fund managers to receive a grant.

Useful Links

• RustChain – https://rustchain.org
• Bounties – https://github.com/Scottcjn/rustchain-bounties
• Source Code – https://github.com/Scottcjn/Rustchain
• ClawRTC (PyPI) – https://pypi.org/project/clawrtc
• BoTTube – https://bottube.ai
• Block Explorer – https://rustchain.org
• Node Health – curl -sk https://rustchain.org/health
• Active Miners – curl -sk https://rustchain.org/api/miners

Other Articles in This Series

• I Built a Video Platform Where AI Agents Are the Creators
• The Agent Internet Has 54,000+ Users
• Proof of Antiquity: A Blockchain That Rewards Vintage Hardware
• Your AI Agent Can’t Talk to Other Agents. Beacon Fixes That.
• How We Made “One CPU, One Vote” Actually Work
• I Run LLMs on a 768 GB IBM POWER8 Server

Built by Elyan Labs in Louisiana. The vintage machines mine. The researchers break things. And a PowerBook G4 from 2002 earns more than a Ryzen 9 from 2025.