Avalanche Bridge

Triaged by HackenProof
Avalanche

The Avalanche Bridge (AB) connects directly to your wallet for fast, cheap, & secure transfers of Ethereum and Bitcoin assets to and from Avalanche.

Note to hackers: Please only test on the testnet bridge at https://test.core.app/bridge (see program rules for details).

Until further notice, dependency takeovers issues are not accepted as part of this program !

In Scope

Target Type Severity Reward
Prod contract address: BTC.b

0x152b9d0fdc40c096757f570a51e494bd4b943e50

Web3 Critical Bounty
Prod contract address: 1INCH.e

0xd501281565bf7789224523144fe5d98e8b28f267

Web3 Critical Bounty
Prod contract address: AAVE.e

0x63a72806098bd3d9520cc43356dd78afe5d386d9

Web3 Critical Bounty
Prod contract address: ALPHA.e

0x2147efff675e4a4ee1c2f918d181cdbd7a8e208f

Web3 Critical Bounty
Prod contract address: BAT.e

0x98443b96ea4b0858fdf3219cd13e98c7a4690588

Web3 Critical Bounty
Prod contract address: BUSD.e

0x19860ccb0a68fd4213ab9d8266f7bbf05a8dde98

Web3 Critical Bounty
Prod contract address: COMP.e

0xc3048e19e76cb9a3aa9d77d8c03c29fc906e2437

Web3 Critical Bounty
Prod contract address: CRV.e

0x249848beca43ac405b8102ec90dd5f22ca513c06

Web3 Critical Bounty
Prod contract address: DAI.e

0xd586e7f844cea2f87f50152665bcbc2c279d8d70

Web3 Critical Bounty
Prod contract address: GRT.e

0x8a0cac13c7da965a312f08ea4229c37869e85cb9

Web3 Critical Bounty
Prod contract address: LINK.e

0x5947bb275c521040051d82396192181b413227a3

Web3 Critical Bounty
Prod contract address: MKR.e

0x88128fd4b259552a9a1d457f435a6527aab72d42

Web3 Critical Bounty
Prod contract address: SHIB.e

0x02d980a0d7af3fb7cf7df8cb35d9edbcf355f665

Web3 Critical Bounty
Prod contract address: SNX.e

0xbec243c995409e6520d7c41e404da5deba4b209b

Web3 Critical Bounty
Prod contract address: SUSHI.e

0x37b608519f91f70f2eeb0e5ed9af4061722e4f76

Web3 Critical Bounty
Prod contract address: SWAP.e

0xc7b5d72c836e718cda8888eaf03707faef675079

Web3 Critical Bounty
Prod contract address: UMA.e

0x3bd2b1c7ed8d396dbb98ded3aebb41350a5b2339

Web3 Critical Bounty
Prod contract address: UNI.e

0x8ebaf22b6f053dffeaf46f4dd9efa95d89ba8580

Web3 Critical Bounty
Prod contract address: USDC.e

0xa7d7079b0fead91f3e65f86e8915cb59c1a4c664

Web3 Critical Bounty
Prod contract address: USDT.e

0xc7198437980c041c805a1edcba50c1ce5db95118

Web3 Critical Bounty
Prod contract address: WBTC.e

0x50b7545627a5162f82a992c33b87adc75187b218

Web3 Critical Bounty
Prod contract address: WETH.e

0x49d5c2bdffac6ce2bfdb6640f4f80f226bc10bab

Web3 Critical Bounty
Prod contract address: WOO.e

0xabc9547b534519ff73921b1fba6e672b5f58d083

Web3 Critical Bounty
Prod contract address: YFI.e

0x9eaac1b23d935365bd7b542fe22ceee2922f52dc

Web3 Critical Bounty
Prod contract address: ZRX.e

0x596fa47043f99a4e0f122243b841e55375cde0d2

Web3 Critical Bounty
Prod EVM Bridge Enclave Address: Avalanche

0xeb1bb70123b2f43419d070d7fde5618971cc2f8f

Web3 Critical Bounty
Prod BTC Bridge Enclave Address: Avalanche

0xf5163f69f97b221d50347dd79382f11c6401f1a1

Web3 Critical Bounty
Prod EVM Bridge Enclave Address: Ethereum

0x8eb8a3b98659cce290402893d0123abb75e3ab28

Web3 Critical Bounty
Prod BTC Bridge Enclave Address: Bitcoin

bc1q2f0tczgrukdxjrhhadpft2fehzpcrwrz549u90

Web3 Critical Bounty
Testnet bridge front end for testing

https://test.core.app/bridge

Web Critical Bounty
Testnet EVM Bridge Enclave address: Avalanche:

0x93753a9ea4c9d6eeed9f64ea92e97ce1f5fbaede

Web3 Critical Bounty
Testnet Bridge Enclave address: Ethereum (Goerli)

0x0d90114dfddac9892cd2da88412b15b929680fe8

Web3 Critical Bounty
Testnet Bridge Enclave address: Bitcoin

tb1q8nur2k3xphnsqa5zxgjl7djtkj3ya0gfs96nxk

Web3 Critical Bounty
Testnet contract address (subject to change): BTC.b

0x0f2071079315ba5a1c6d5b532a01a132c157ac83

Web3 Critical Bounty
Testnet contract address (subject to change): DAI.e

0x2f20537c2f5c57231866de9d0ce33d0681a200d4

Web3 Critical Bounty
Testnet contract address (subject to change): LINK.e

0x1741b9c475e0861a43b03f984928082ac4f3fb95

Web3 Critical Bounty
Testnet contract address (subject to change): USDC.e

0xdb84a45a28f019970ec46c8acaf2aa8215d6fe4b

Web3 Critical Bounty
Testnet contract address (subject to change): USDT.e

0xa73c78c12c962e987a8b37f7b2e1e2a5f00f1fe8

Web3 Critical Bounty
Testnet contract address (subject to change): WBTC.e

0x8a11d879ebe06f475580ea22c5e8cc52772a6872

Web3 Critical Bounty
Testnet contract address (subject to change): WETH.e

0x678c4c42572ec1c44b144c5a6712b69d2a5d412c

Web3 Critical Bounty
Prod bridge front end (reporting only - please test on testnet)

https://core.app/bridge

Web3 Critical Bounty
Enclave server (please test on testnet only)
Web Critical Bounty
Ava Labs Warden server and blob storage endpoints (please test on testnet only)
Web3 Critical Bounty
Testnet Bridge Enclave Address: Avalanche

0x9a3789061c69e14ca66251afa0e2efca0e04f1a5

Web3 Critical Bounty

Out of scope

Target Type Severity
Non Ava Labs Warden servers and other infra
Web3 None

In Scope Vulnerabilities

  • Double minting
  • Under-collateralizing on the Ethereum side
  • Any kind of smart contract authority changes
  • Application level denial-of-service attacks
  • Unauthorized access to Wardens and Enclave servers
  • Unauthorized write to public readable-only cloud storage endpoints
  • Cryptographic vulnerabilities
  • Leaked secrets or credentials
  • Web 2.0 vulnerabilities that undermines normal bridge operation, modifies the user interface or can lead to stolen funds

Out of Scope Vulnerabilities

  • Third-party Warden hosts and infrastructure
  • Transaction privacy
  • Social engineering, phishing and scams, including Self-XSS
  • SGX vulnerabilities (unless remotely exploitable with a POC)
  • Discovery of unpublished server IP or service endpoints

Program Rules

  • All Avalanche General program rules apply.
  • For the Avalanche Bridge, you are welcome to report any vulnerabilities you come across during normal interactions with the production Bridge at https://core.app/bridge. However, you must only perform security testing and develop PoCs on the testnet Bridge https://test.core.app/bridge .
  • Bounties over $10k will be paid in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.
  • Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.