1. Main
  2. Programs
  3. Avalanche
  4. Avalanche Bridge

Avalanche Bridge

Triaged by HackenProof
Avalanche
Submit report

The Avalanche Bridge (AB) connects directly to your wallet for fast, cheap, & secure transfers of Ethereum and Bitcoin assets to and from Avalanche.

Note to hackers: Please only test on the testnet bridge at https://test.core.app/bridge (see program rules for details).

Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.

Scope

In Scope

Target Type Severity Reward
Prod contract address: BTC.b

0x152b9d0fdc40c096757f570a51e494bd4b943e50

Web3 Critical Bounty
Prod contract address: 1INCH.e

0xd501281565bf7789224523144fe5d98e8b28f267

 Web3 Critical Bounty
Prod contract address: AAVE.e

0x63a72806098bd3d9520cc43356dd78afe5d386d9

 Web3 Critical Bounty
Prod contract address: ALPHA.e

0x2147efff675e4a4ee1c2f918d181cdbd7a8e208f

 Web3 Critical Bounty
Prod contract address: BAT.e

0x98443b96ea4b0858fdf3219cd13e98c7a4690588

 Web3 Critical Bounty
Prod contract address: BUSD.e

0x19860ccb0a68fd4213ab9d8266f7bbf05a8dde98

 Web3 Critical Bounty
Prod contract address: COMP.e

0xc3048e19e76cb9a3aa9d77d8c03c29fc906e2437

 Web3 Critical Bounty
Prod contract address: CRV.e

0x249848beca43ac405b8102ec90dd5f22ca513c06

 Web3 Critical Bounty
Prod contract address: DAI.e

0xd586e7f844cea2f87f50152665bcbc2c279d8d70

 Web3 Critical Bounty
Prod contract address: GRT.e

0x8a0cac13c7da965a312f08ea4229c37869e85cb9

 Web3 Critical Bounty
Prod contract address: LINK.e

0x5947bb275c521040051d82396192181b413227a3

 Web3 Critical Bounty
Prod contract address: MKR.e

0x88128fd4b259552a9a1d457f435a6527aab72d42

 Web3 Critical Bounty
Prod contract address: SHIB.e

0x02d980a0d7af3fb7cf7df8cb35d9edbcf355f665

 Web3 Critical Bounty
Prod contract address: SNX.e

0xbec243c995409e6520d7c41e404da5deba4b209b

 Web3 Critical Bounty
Prod contract address: SUSHI.e

0x37b608519f91f70f2eeb0e5ed9af4061722e4f76

 Web3 Critical Bounty
Prod contract address: SWAP.e

0xc7b5d72c836e718cda8888eaf03707faef675079

 Web3 Critical Bounty
Prod contract address: UMA.e

0x3bd2b1c7ed8d396dbb98ded3aebb41350a5b2339

 Web3 Critical Bounty
Prod contract address: UNI.e

0x8ebaf22b6f053dffeaf46f4dd9efa95d89ba8580

 Web3 Critical Bounty
Prod contract address: USDC.e

0xa7d7079b0fead91f3e65f86e8915cb59c1a4c664

 Web3 Critical Bounty
Prod contract address: USDT.e

0xc7198437980c041c805a1edcba50c1ce5db95118

 Web3 Critical Bounty
Prod contract address: WBTC.e

0x50b7545627a5162f82a992c33b87adc75187b218

 Web3 Critical Bounty
Prod contract address: WETH.e

0x49d5c2bdffac6ce2bfdb6640f4f80f226bc10bab

 Web3 Critical Bounty
Prod contract address: WOO.e

0xabc9547b534519ff73921b1fba6e672b5f58d083

 Web3 Critical Bounty
Prod contract address: YFI.e

0x9eaac1b23d935365bd7b542fe22ceee2922f52dc

 Web3 Critical Bounty
Prod contract address: ZRX.e

0x596fa47043f99a4e0f122243b841e55375cde0d2

 Web3 Critical Bounty
Prod EVM Bridge Enclave Address: Avalanche

0xeb1bb70123b2f43419d070d7fde5618971cc2f8f

 Web3 Critical Bounty
Prod BTC Bridge Enclave Address: Avalanche

0xf5163f69f97b221d50347dd79382f11c6401f1a1

 Web3 Critical Bounty
Prod EVM Bridge Enclave Address: Ethereum

0x8eb8a3b98659cce290402893d0123abb75e3ab28

 Web3 Critical Bounty
Prod BTC Bridge Enclave Address: Bitcoin

bc1q2f0tczgrukdxjrhhadpft2fehzpcrwrz549u90

 Web3 Critical Bounty
Testnet bridge front end for testing

https://test.core.app/bridge

 Web Critical Bounty
Testnet EVM Bridge Enclave address: Avalanche:

0x93753a9ea4c9d6eeed9f64ea92e97ce1f5fbaede

 Web3 Critical Bounty
Testnet Bridge Enclave address: Ethereum (Goerli)

0x0d90114dfddac9892cd2da88412b15b929680fe8

 Web3 Critical Bounty
Testnet Bridge Enclave address: Bitcoin

tb1q8nur2k3xphnsqa5zxgjl7djtkj3ya0gfs96nxk

 Web3 Critical Bounty
Testnet contract address (subject to change): BTC.b

0x0f2071079315ba5a1c6d5b532a01a132c157ac83

 Web3 Critical Bounty
Testnet contract address (subject to change): DAI.e

0x2f20537c2f5c57231866de9d0ce33d0681a200d4

 Web3 Critical Bounty
Testnet contract address (subject to change): LINK.e

0x1741b9c475e0861a43b03f984928082ac4f3fb95

 Web3 Critical Bounty
Testnet contract address (subject to change): USDC.e

0xdb84a45a28f019970ec46c8acaf2aa8215d6fe4b

 Web3 Critical Bounty
Testnet contract address (subject to change): USDT.e

0xa73c78c12c962e987a8b37f7b2e1e2a5f00f1fe8

 Web3 Critical Bounty
Testnet contract address (subject to change): WBTC.e

0x8a11d879ebe06f475580ea22c5e8cc52772a6872

 Web3 Critical Bounty
Testnet contract address (subject to change): WETH.e

0x678c4c42572ec1c44b144c5a6712b69d2a5d412c

 Web3 Critical Bounty
Prod bridge front end (reporting only - please test on testnet)

https://core.app/bridge

 Web3 Critical Bounty
Enclave server (please test on testnet only)
 Web Critical Bounty
Ava Labs Warden server and blob storage endpoints (please test on testnet only)
 Web3 Critical Bounty
Testnet Bridge Enclave Address: Avalanche

0x9a3789061c69e14ca66251afa0e2efca0e04f1a5

 Web3 Critical Bounty

Out of scope

Target Type Severity
Non Ava Labs Warden servers and other infra
 Web3 None

Focus Area

In Scope Vulnerabilities

  • Double minting
  • Under-collateralizing on the Ethereum side
  • Any kind of smart contract authority changes
  • Application level denial-of-service attacks
  • Unauthorized access to Wardens and Enclave servers
  • Unauthorized write to public readable-only cloud storage endpoints
  • Cryptographic vulnerabilities
  • Leaked secrets or credentials
  • Web 2.0 vulnerabilities that undermines normal bridge operation, modifies the user interface or can lead to stolen funds

Out of Scope Vulnerabilities

  • Third-party Warden hosts and infrastructure
  • Transaction privacy
  • Social engineering, phishing and scams, including Self-XSS
  • SGX vulnerabilities (unless remotely exploitable with a POC)
  • Discovery of unpublished server IP or service endpoints

Program Rules

Program Rules

  • All Avalanche General program rules apply.
  • For the Avalanche Bridge, you are welcome to report any vulnerabilities you come across during normal interactions with the production Bridge at https://core.app/bridge. However, you must only perform security testing and develop PoCs on the testnet Bridge https://test.core.app/bridge .
  • Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.
Deposit available

Deposit available

This company has funded a bounty deposit, enabling HackenProof to reward approved bug reports ASAP.

Rewards

Range of bounty

$100 - $100,000

Severity

Critical
$10,000 - $100,000
High
$5,000 - $10,000
Medium
$1,000 - $5,000
Low
$100 - $1,000

Stats

$0
2

Categories

Tools DeFi Protocol

Types

web blockchain smart contract

Hackers (15)

View all

Name

Rank

Al Alwardani

1

Mavis

2

toni

3

cyberarmy101

4

SLA
(Service Level Agreement)
Time within which the program's triage team must respond

Response Type

Business days

First Response

3 d

Triage Time

5 d

Reward Time

14 d

Resolution Time

30 d