Search

Search for projects by name

SummaryValue SecuredOnchain costsLivenessMilestones & IncidentsRisk summaryRisk analysisRollup stageData availabilityState derivationState validationOperatorWithdrawalsPermissionsSmart contracts

Honeypot (Cartesi) logoHoneypot (Cartesi)

Badges

About

Honeypot is an application-specific rollup designed to challenge the security of Cartesi Rollups. It provides a gamified battlefield to incentivize bug hunters to hack the application to obtain the funds locked in the rollup contract.

Value secured
$134.23 K5.04%
Canonically Bridged
$134.23 K
Natively Minted
$0.00
Externally Bridged
$0.00
View TVS Breakdown
  • Tokens
  • Past day UOPS
    No data
  • 30D ops count
    No data
  • Stage
  • Type
    Optimistic Rollup
  • Purpose
    Bug bounty
    • Sequencer failureState validationData availabilityExit windowProposer failure
    Explore more in Discovery UI

    Badges

    About

    Honeypot is an application-specific rollup designed to challenge the security of Cartesi Rollups. It provides a gamified battlefield to incentivize bug hunters to hack the application to obtain the funds locked in the rollup contract.

    Recategorisation

    25d
    14h
    06m
    21s

    The project will be classified as "Other" due to its specific risks that set it apart from the standard classifications.

    The project will move to Others because:

    The proof system isn't fully functional

    Consequence: projects without a proper proof system fully rely on single entities to safely update the state. A malicious proposer can finalize an invalid state, which can cause loss of funds.

    Learn more about the recategorisation
    Value Secured

    2024 May 24 — 2025 May 24

    Total value securedTotal
    $134.23 K5.04%
    Canonically BridgedCanonically Bridged ValueCanonical
    $134.23 K5.04%
    Natively MintedNatively Minted TokensNative
    $0.000.00%
    Externally BridgedExternally Bridged ValueExternal
    $0.000.00%
    View TVS breakdown
    Onchain costs

    The section shows the operating costs that L2s pay to Ethereum.

    2024 May 27 — Sep 17

    1 year total cost
    $55.45
    Avg cost per L2 UOP
    No data
    Liveness

    The chart illustrates how "live" the project's operators are by displaying how frequently they submit transactions of the selected type and if these intervals deviate from their typical schedule.

    No dataThere's no data for the project and the selected criteria. Please try again later.
    30D avg. state updates interval
    No data
    Past 30 days anomalies
    Milestones & Incidents

    Honeypot launch

    2023 Sep 26th

    Honeypot launched on mainnet.

    Learn more

    Honeypot announcement

    2023 Apr 11th

    Honeypot first announced to the community.

    Learn more
    Risk summary

    Funds can be frozen if

    1. the centralized validator goes down. Users cannot produce blocks themselves and exiting the system requires new block production (CRITICAL).

    MEV can be extracted if

    1. the operator exploits their centralized position and frontruns user transactions.
    Risk analysis
    Sequencer failureState validationData availabilityExit windowProposer failure
    Sequencer failure
    Self sequence

    In the event of a sequencer failure, users can force transactions to be included in the project’s chain by sending them to L1. There is no delay on this operation.

    State validation
    None

    Currently the system permits invalid state roots. More details in project overview.

    Data availability
    Onchain

    All of the data needed for proof construction is published on Ethereum L1.

    Exit window

    Users can exit funds at any time because contracts are not upgradeable.

    Proposer failure
    Cannot withdraw

    Only the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.

    Rollup stageHoneypot (Cartesi)Honeypot (Cartesi) is a
    Stage 0
    Appchain
    Optimistic Rollup.

    Learn more about Rollup stages
    Please keep in mind that these stages do not reflect rollup security, this is an opinionated assessment of rollup maturity based on subjective criteria, created with a goal of incentivizing projects to push toward better decentralization. Each team may have taken different paths to achieve this goal.
    Data availability

    All transaction data is recorded on chain

    All executed transactions are submitted to an on chain smart contract. The execution of the rollup is based entirely on the submitted transactions, so anyone monitoring the contract can know the correct state of the rollup chain.

    1. InputBox.sol#30 - Etherscan source code, addInput function
    Learn more about the DA layer here: Ethereum logoEthereum
    State derivation
    Node software

    The Cartesi node software source code can be found here.

    Compression scheme

    No compression is used.

    Genesis state

    The genesis state is derived from the Honeypot Cartesi Machine template, which can be found within the Honeypot server Docker image at /var/opt/cartesi/machine-snapshots/0_0. Alternatively, it is possible to recreate it by following the build procedure outlined in the Honeypot GitHub Repository.

    Data format

    The reference implementation for ERC20 deposits can be found here. To learn about the withdrawal request format, please refer to the documentation here.

    State validation
    No state validation

    Ultimately, Cartesi DApps will use interactive fraud proofs to enforce state correctness. This feature is currently in development and the Honeypot DApp permits invalid state roots. Since Honeypot is immutable, this feature will not be added to the DApp.

    • Funds can be stolen if an invalid state root is submitted to the system by the configured Authority (CRITICAL).

    1. Authority.sol#L148 - Etherscan source code, submitClaim function
    Operator

    The system has a centralized operator

    The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.

    • MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.

    Users can force any transaction

    Because the state of the system is based on transactions submitted on the underlying host chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract on the host chain directly.

    Withdrawals

    Regular exit

    The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is settled the funds become available for withdrawal on L1. The process of settling a block usually takes several days to complete. Finally the user submits an L1 transaction to claim the funds.

    • Funds can be frozen if the centralized validator goes down. Users cannot produce blocks themselves and exiting the system requires new block production (CRITICAL).

    Permissions
    A dashboard to explore contracts and permissions
    Go to Disco
    Disco UI Banner
    Disco UI BannerExplore in Disco

    Ethereum

    Actors:

    Authority owner 0x79Ec…3861

    The Authority owner can submit claims to the Honeypot DApp.

    Smart contracts
    A dashboard to explore contracts and permissions
    Go to Disco
    Disco UI Banner
    Disco UI BannerExplore in Disco

    Ethereum

    Honeypot 0x0974…C366

    CartesiDApp instance for the Honeypot DApp, responsible for holding assets and allowing the DApp to interact with other smart contracts.

    • This contract can store any token.
    InputBox 0x59b2…c768

    Contract that receives arbitrary blobs as inputs to Cartesi DApps.

    ERC20Portal 0x9C21…a1DB

    Contract that allows anyone to perform transfers of ERC-20 tokens to Cartesi DApps.

    Authority 0x9DB1…C45f

    Simple consensus model controlled by a single address, the owner.

    History 0x3854…FAd9

    Contract that stores claims for Cartesi DApps.

    Value Secured is calculated based on these smart contracts and tokens:

    Generic escrow 0x0974…C366

    Contract storing bounty funds.