The Avalanche Bridge (AB) connects directly to your wallet for fast, cheap, & secure transfers of Ethereum and Bitcoin assets to and from Avalanche.
Note to hackers: Please only test on the testnet bridge at https://test.core.app/bridge (see program rules for details).
Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.
In Scope
Target | Type | Severity | Reward |
---|---|---|---|
Prod contract address: BTC.b0x152b9d0fdc40c096757f570a51e494bd4b943e50 |
Web3 | Critical | Bounty |
Prod contract address: 1INCH.e0xd501281565bf7789224523144fe5d98e8b28f267 |
Web3 | Critical | Bounty |
Prod contract address: AAVE.e0x63a72806098bd3d9520cc43356dd78afe5d386d9 |
Web3 | Critical | Bounty |
Prod contract address: ALPHA.e0x2147efff675e4a4ee1c2f918d181cdbd7a8e208f |
Web3 | Critical | Bounty |
Prod contract address: BAT.e0x98443b96ea4b0858fdf3219cd13e98c7a4690588 |
Web3 | Critical | Bounty |
Prod contract address: BUSD.e0x19860ccb0a68fd4213ab9d8266f7bbf05a8dde98 |
Web3 | Critical | Bounty |
Prod contract address: COMP.e0xc3048e19e76cb9a3aa9d77d8c03c29fc906e2437 |
Web3 | Critical | Bounty |
Prod contract address: CRV.e0x249848beca43ac405b8102ec90dd5f22ca513c06 |
Web3 | Critical | Bounty |
Prod contract address: DAI.e0xd586e7f844cea2f87f50152665bcbc2c279d8d70 |
Web3 | Critical | Bounty |
Prod contract address: GRT.e0x8a0cac13c7da965a312f08ea4229c37869e85cb9 |
Web3 | Critical | Bounty |
Prod contract address: LINK.e0x5947bb275c521040051d82396192181b413227a3 |
Web3 | Critical | Bounty |
Prod contract address: MKR.e0x88128fd4b259552a9a1d457f435a6527aab72d42 |
Web3 | Critical | Bounty |
Prod contract address: SHIB.e0x02d980a0d7af3fb7cf7df8cb35d9edbcf355f665 |
Web3 | Critical | Bounty |
Prod contract address: SNX.e0xbec243c995409e6520d7c41e404da5deba4b209b |
Web3 | Critical | Bounty |
Prod contract address: SUSHI.e0x37b608519f91f70f2eeb0e5ed9af4061722e4f76 |
Web3 | Critical | Bounty |
Prod contract address: SWAP.e0xc7b5d72c836e718cda8888eaf03707faef675079 |
Web3 | Critical | Bounty |
Prod contract address: UMA.e0x3bd2b1c7ed8d396dbb98ded3aebb41350a5b2339 |
Web3 | Critical | Bounty |
Prod contract address: UNI.e0x8ebaf22b6f053dffeaf46f4dd9efa95d89ba8580 |
Web3 | Critical | Bounty |
Prod contract address: USDC.e0xa7d7079b0fead91f3e65f86e8915cb59c1a4c664 |
Web3 | Critical | Bounty |
Prod contract address: USDT.e0xc7198437980c041c805a1edcba50c1ce5db95118 |
Web3 | Critical | Bounty |
Prod contract address: WBTC.e0x50b7545627a5162f82a992c33b87adc75187b218 |
Web3 | Critical | Bounty |
Prod contract address: WETH.e0x49d5c2bdffac6ce2bfdb6640f4f80f226bc10bab |
Web3 | Critical | Bounty |
Prod contract address: WOO.e0xabc9547b534519ff73921b1fba6e672b5f58d083 |
Web3 | Critical | Bounty |
Prod contract address: YFI.e0x9eaac1b23d935365bd7b542fe22ceee2922f52dc |
Web3 | Critical | Bounty |
Prod contract address: ZRX.e0x596fa47043f99a4e0f122243b841e55375cde0d2 |
Web3 | Critical | Bounty |
Prod EVM Bridge Enclave Address: Avalanche0xeb1bb70123b2f43419d070d7fde5618971cc2f8f |
Web3 | Critical | Bounty |
Prod BTC Bridge Enclave Address: Avalanche0xf5163f69f97b221d50347dd79382f11c6401f1a1 |
Web3 | Critical | Bounty |
Prod EVM Bridge Enclave Address: Ethereum0x8eb8a3b98659cce290402893d0123abb75e3ab28 |
Web3 | Critical | Bounty |
Prod BTC Bridge Enclave Address: Bitcoinbc1q2f0tczgrukdxjrhhadpft2fehzpcrwrz549u90 |
Web3 | Critical | Bounty |
Testnet bridge front end for testing |
Web | Critical | Bounty |
Testnet EVM Bridge Enclave address: Avalanche:0x93753a9ea4c9d6eeed9f64ea92e97ce1f5fbaede |
Web3 | Critical | Bounty |
Testnet Bridge Enclave address: Ethereum (Goerli)0x0d90114dfddac9892cd2da88412b15b929680fe8 |
Web3 | Critical | Bounty |
Testnet Bridge Enclave address: Bitcointb1q8nur2k3xphnsqa5zxgjl7djtkj3ya0gfs96nxk |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): BTC.b0x0f2071079315ba5a1c6d5b532a01a132c157ac83 |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): DAI.e0x2f20537c2f5c57231866de9d0ce33d0681a200d4 |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): LINK.e0x1741b9c475e0861a43b03f984928082ac4f3fb95 |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): USDC.e0xdb84a45a28f019970ec46c8acaf2aa8215d6fe4b |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): USDT.e0xa73c78c12c962e987a8b37f7b2e1e2a5f00f1fe8 |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): WBTC.e0x8a11d879ebe06f475580ea22c5e8cc52772a6872 |
Web3 | Critical | Bounty |
Testnet contract address (subject to change): WETH.e0x678c4c42572ec1c44b144c5a6712b69d2a5d412c |
Web3 | Critical | Bounty |
Prod bridge front end (reporting only - please test on testnet) |
Web3 | Critical | Bounty |
Enclave server (please test on testnet only) |
Web | Critical | Bounty |
Ava Labs Warden server and blob storage endpoints (please test on testnet only) |
Web3 | Critical | Bounty |
Testnet Bridge Enclave Address: Avalanche0x9a3789061c69e14ca66251afa0e2efca0e04f1a5 |
Web3 | Critical | Bounty |
Out of scope
Target | Type | Severity |
---|---|---|
Non Ava Labs Warden servers and other infra |
Web3 | None |
In Scope Vulnerabilities
- Double minting
- Under-collateralizing on the Ethereum side
- Any kind of smart contract authority changes
- Application level denial-of-service attacks
- Unauthorized access to Wardens and Enclave servers
- Unauthorized write to public readable-only cloud storage endpoints
- Cryptographic vulnerabilities
- Leaked secrets or credentials
- Web 2.0 vulnerabilities that undermines normal bridge operation, modifies the user interface or can lead to stolen funds
Out of Scope Vulnerabilities
- Third-party Warden hosts and infrastructure
- Transaction privacy
- Social engineering, phishing and scams, including Self-XSS
- SGX vulnerabilities (unless remotely exploitable with a POC)
- Discovery of unpublished server IP or service endpoints
Program Rules
- All Avalanche General program rules apply.
- For the Avalanche Bridge, you are welcome to report any vulnerabilities you come across during normal interactions with the production Bridge at https://core.app/bridge. However, you must only perform security testing and develop PoCs on the testnet Bridge https://test.core.app/bridge .
- Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.