Honeypot (Cartesi)
Badges
About
Honeypot is an application-specific rollup designed to challenge the security of Cartesi Rollups. It provides a gamified battlefield to incentivize bug hunters to hack the application to obtain the funds locked in the rollup contract.
$149.48 K
0.78%
- There is no onchain fraud proof system.
- Users' withdrawals can be censored by the permissioned operators.
- Upgrades executed by actors with more centralized control than a Security Council provide less than 7d for users to exit if the permissioned operator is down or censoring.
Badges
About
Honeypot is an application-specific rollup designed to challenge the security of Cartesi Rollups. It provides a gamified battlefield to incentivize bug hunters to hack the application to obtain the funds locked in the rollup contract.
...
Choose token
![](https://assets.coingecko.com/coins/images/11038/large/Cartesi_Logo.png?1696510982)
...
Funds can be stolen if
Funds can be frozen if
MEV can be extracted if
State validation
NoneCurrently the system permits invalid state roots. More details in project overview.
Exit window
∞Users can exit funds at any time because contracts are not upgradeable.
Sequencer failure
Self sequenceProposer failure
Cannot withdrawOnly the whitelisted proposers can publish state roots on L1, so in the event of failure the withdrawals are frozen.
![Honeypot (Cartesi)](/icons/cartesi-honeypot.png)
- The project calls itself a rollup.
- L2 state roots are posted to Ethereum L1.
- Inputs for the state transition function are posted to L1.
- A source-available node exists that can recreate the state from L1 data. Please note that the L2BEAT team has not verified the validity of the node source code. View code
- There is no onchain fraud proof system.
- Users’ withdrawals can be censored by the permissioned operators.
- Upgrades executed by actors with more centralized control than a Security Council provide less than 7d for users to exit if the permissioned operator is down or censoring.
- Upgrades unrelated to on-chain provable bugs provide less than 30d to exit.
Fraud proofs are in development
Ultimately, Cartesi DApps will use interactive fraud proofs to enforce state correctness. This feature is currently in development and the Honeypot DApp permits invalid state roots. Since Honeypot is immutable, this feature will not be added to the DApp.
Funds can be stolen if an invalid state root is submitted to the system by the configured Authority (CRITICAL).
All transaction data is recorded on chain
No compression is used.
The genesis state is derived from the Honeypot Cartesi Machine template, which can be found within the Honeypot server Docker image at /var/opt/cartesi/machine-snapshots/0_0
. Alternatively, it is possible to recreate it by following the build procedure outlined in the Honeypot GitHub Repository.
The system has a centralized operator
The operator is the only entity that can propose blocks. A live and trustworthy operator is vital to the health of the system.
MEV can be extracted if the operator exploits their centralized position and frontruns user transactions.
Users can force any transaction
Because the state of the system is based on transactions submitted on-chain and anyone can submit their transactions there it allows the users to circumvent censorship by interacting with the smart contract directly.
Regular exit
The user initiates the withdrawal by submitting a regular transaction on this chain. When the block containing that transaction is finalized the funds become available for withdrawal on L1. The process of block finalization usually takes several days to complete. Finally the user submits an L1 transaction to claim the funds. This transaction requires a merkle proof.
Funds can be frozen if the centralized validator goes down. Users cannot produce blocks themselves and exiting the system requires new block production (CRITICAL).
The system consists of the following smart contracts on the host chain (Ethereum):
CartesiDApp instance for the Honeypot DApp, responsible for holding assets and allowing the DApp to interact with other smart contracts. This contract can store any token.
Contract that receives arbitrary blobs as inputs to Cartesi DApps.
Contract that allows anyone to perform transfers of ERC-20 tokens to Cartesi DApps.
Simple consensus model controlled by a single address, the owner.
Contract that stores claims for Cartesi DApps.
Value Locked is calculated based on these smart contracts and tokens:
Contract storing bounty funds.