Trustless Bug Bounty Releases with a PoW-Gated DLC Oracle

Bug bounties have a trust problem. The developer patches the bug, the PR merges, and then they wait. Maybe forever. The organization controls the escrow. The payout depends on a committee deciding the fix was complete, the vulnerability was real, and the payout tier is correct. None of that is verifiable by anyone except the people holding the keys.

DLC contracts fix this — in theory. Lock funds into a contract where an oracle signs the release condition. The oracle can't lie because the signature is public and verifiable against its key. No committee, no discretion. The moment the condition is met, the adaptor signature unlocks the output.

The missing piece was a practical oracle that maps real-world GitHub events to DLC-compatible attestations. I built one. Here's how it works and how to wire it up.

What pow-attest does

attest.powforge.dev is a Schnorr attestation oracle. You register a bounty with a GitHub condition (github_pr_merged or github_issue_closed). The oracle hands back an announcement that includes the oracle's public key, a nonce, and the outcome hash for the RELEASED state. You use those to construct a DLC contract where the counterparty's funds are locked to a CET that only spends if the oracle signs RELEASED.