Avalanche Bridge

Triaged by HackenProof
Avalanche

The Avalanche Bridge (AB) connects directly to your wallet for fast, cheap, & secure transfers of Ethereum and Bitcoin assets to and from Avalanche.

Note to hackers: Please only test on the testnet bridge at https://bridge.avax-test.network/login (see program rules for details).

In Scope

Target Type Severity Reward
Prod contract addresses: BTC.b

0x152b9d0fdc40c096757f570a51e494bd4b943e50

Web3 Critical Bounty
Prod contract addresses: 1INCH.e

0xd501281565bf7789224523144fe5d98e8b28f267

Web3 Critical Bounty
Prod contract addresses: AAVE.e

0x63a72806098bd3d9520cc43356dd78afe5d386d9

Web3 Critical Bounty
Prod contract addresses: ALPHA.e

0x2147efff675e4a4ee1c2f918d181cdbd7a8e208f

Web3 Critical Bounty
Prod contract addresses: BAT.e

0x98443b96ea4b0858fdf3219cd13e98c7a4690588

Web3 Critical Bounty
Prod contract addresses: BUSD.e

0x19860ccb0a68fd4213ab9d8266f7bbf05a8dde98

Web3 Critical Bounty
Prod contract addresses: COMP.e

0xc3048e19e76cb9a3aa9d77d8c03c29fc906e2437

Web3 Critical Bounty
Prod contract addresses: CRV.e

0x249848beca43ac405b8102ec90dd5f22ca513c06

Web3 Critical Bounty
Prod contract addresses: DAI.e

0xd586e7f844cea2f87f50152665bcbc2c279d8d70

Web3 Critical Bounty
Prod contract addresses: GRT.e

0x8a0cac13c7da965a312f08ea4229c37869e85cb9

Web3 Critical Bounty
Prod contract addresses: LINK.e

0x5947bb275c521040051d82396192181b413227a3

Web3 Critical Bounty
Prod contract addresses: MKR.e

0x88128fd4b259552a9a1d457f435a6527aab72d42

Web3 Critical Bounty
Prod contract addresses: SHIB.e

0x02d980a0d7af3fb7cf7df8cb35d9edbcf355f665

Web3 Critical Bounty
Prod contract addresses: SNX.e

0xbec243c995409e6520d7c41e404da5deba4b209b

Web3 Critical Bounty
Prod contract addresses: SUSHI.e

0x37b608519f91f70f2eeb0e5ed9af4061722e4f76

Web3 Critical Bounty
Prod contract addresses: SWAP.e

0xc7b5d72c836e718cda8888eaf03707faef675079

Web3 Critical Bounty
Prod contract addresses: UMA.e

0x3bd2b1c7ed8d396dbb98ded3aebb41350a5b2339

Web3 Critical Bounty
Prod contract addresses: UNI.e

0x8ebaf22b6f053dffeaf46f4dd9efa95d89ba8580

Web3 Critical Bounty
Prod contract addresses: USDC.e

0xa7d7079b0fead91f3e65f86e8915cb59c1a4c664

Web3 Critical Bounty
Prod contract addresses: USDT.e

0xc7198437980c041c805a1edcba50c1ce5db95118

Web3 Critical Bounty
Prod contract addresses: WBTC.e

0x50b7545627a5162f82a992c33b87adc75187b218

Web3 Critical Bounty
Prod contract addresses: WETH.e

0x49d5c2bdffac6ce2bfdb6640f4f80f226bc10bab

Web3 Critical Bounty
Prod contract addresses: WOO.e

0xabc9547b534519ff73921b1fba6e672b5f58d083

Web3 Critical Bounty
Prod contract addresses: YFI.e

0x9eaac1b23d935365bd7b542fe22ceee2922f52dc

Web3 Critical Bounty
Prod contract addresses: ZRX.e

0x596fa47043f99a4e0f122243b841e55375cde0d2

Web3 Critical Bounty
Prod Bridge Enclave Addresses: Avalanche

0xeb1bb70123b2f43419d070d7fde5618971cc2f8f

Web3 Critical Bounty
Prod Bridge Enclave Addresses: Avalanche

0xf5163f69f97b221d50347dd79382f11c6401f1a1

Web3 Critical Bounty
Prod Bridge Enclave Addresses: Ethereum

0x8eb8a3b98659cce290402893d0123abb75e3ab28

Web3 Critical Bounty
Prod Bridge Enclave Addresses: Bitcoin

bc1q2f0tczgrukdxjrhhadpft2fehzpcrwrz549u90

Web3 Critical Bounty
Testnet bridge front end for testing

http://bridge.avax-test.network/

Web Critical Bounty
Testnet Bridge Enclave Addresses: Avalanche

0x59c35594563fc2c9ebff4cdb905a142d1198daf5

Web3 Critical Bounty
Testnet Bridge Enclave Addresses: Avalanche

0x9a3789061c69e14ca66251afa0e2efca0e04f1a5

Web3 Critical Bounty
Testnet Bridge Enclave Addresses: Ethereum (Rinkeby)

0x0401b67766e88e26b5309ca3f9b5360cf86df658

Web3 Critical Bounty
Testnet Bridge Enclave Addresses: Bitcoin

tb1q8nur2k3xphnsqa5zxgjl7djtkj3ya0gfs96nxk

Web3 Critical Bounty
Testnet contract addresses (subject to change): BTC.b

0x0f2071079315ba5a1c6d5b532a01a132c157ac83

Web3 Critical Bounty
Testnet contract addresses (subject to change): DAI.e

0x2f10b211817694a2fa00c6b5481ac4a95b896643

Web3 Critical Bounty
Testnet contract addresses (subject to change): FAU.e

0xb4e0f6fef81bdfea0856bb846789985c9cff7e85

Web3 Critical Bounty
Testnet contract addresses (subject to change): LINK.e

0x1741b9c475e0861a43b03f984928082ac4f3fb95

Web3 Critical Bounty
Testnet contract addresses (subject to change): USDC.e

0xc20386b7b8dc5d930511261aa789516f96a7eb16

Web3 Critical Bounty
Testnet contract addresses (subject to change): USDT.e

0xbce59d73868899a7b7896b46da20a06f663baf10

Web3 Critical Bounty
Testnet contract addresses (subject to change): WBTC.e

0xa0526df369774af18299deb370d66ae8723804d9

Web3 Critical Bounty
Testnet contract addresses (subject to change): WETH.e

0x7fcdc2c1ef3e4a0bcc8155a558bb20a7218f2b05

Web3 Critical Bounty
Prod bridge front end (reporting only - please test on testnet)

https://bridge.avax.network/

Web3 Critical Bounty
Enclave server (please test on testnet only)
Web Critical Bounty
Ava Labs Warden server and blob storage endpoints (please test on testnet only)
Web3 Critical Bounty

Out of scope

Target Type Severity
Non Ava Labs Warden servers and other infra
Web3 None

In Scope Vulnerabilities

  • Double minting
  • Under-collateralizing on the Ethereum side
  • Any kind of smart contract authority changes
  • Application level denial-of-service attacks
  • Unauthorized access to Wardens and Enclave servers
  • Unauthorized write to public readable-only cloud storage endpoints
  • Cryptographic vulnerabilities
  • Leaked secrets or credentials
  • Web 2.0 vulnerabilities that undermines normal bridge operation, modifies the user interface or can lead to stolen funds

Out of Scope Vulnerabilities

  • Third-party Warden hosts and infrastructure
  • Transaction privacy
  • Social engineering, phishing and scams, including Self-XSS
  • SGX vulnerabilities (unless remotely exploitable with a POC)
  • Discovery of unpublished server IP or service endpoints

Program Rules

  • All Avalanche General program rules apply.
  • For the Avalanche Bridge, you are welcome to report any vulnerabilities you come across during normal interactions with the production Bridge at https://bridge.avax.network/. However, you must only perform security testing and develop PoCs on the testnet Bridge http://bridge.avax-test.network/ .
  • Bounties over $10k will be paid in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.
  • Please note: In cases where a size the the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.