Avalanche Protocol

Triaged by HackenProof

Avalanche is an open-source platform for launching highly decentralized applications, new financial primitives, and new interoperable blockchains.

The Avalanche Protocol bug bounty program covers the official Avalanche client (AvalancheGo) and related components.

Until further notice, dependency takeovers issues are not accepted as part of this program !

In Scope

Target Type Severity Reward
Protocol Critical Bounty
Protocol Critical Bounty
Protocol Critical Bounty

In-Scope Vulnerabilities

The list is not limited to the following submissions but it gives an overview of what issues we care about:

  • Stealing or loss of funds
  • Unauthorized transaction
  • Transaction manipulation
  • Price manipulation
  • Fee payment bypass
  • Balance manipulation
  • Violation of Avalanche tokenomics
  • Violation of the Avalanche consensus protocols (Avalanche and Snowman)
  • Privacy violation (below Bitcoin level privacy)
  • Cryptographic flaws

Out-of-Scope Vulnerabilities

  • Network-level DoS
  • Privacy beyond what Bitcoin offers

All rules in the General Program apply. In addition:

  • Perform testing on a private testnet wherever possible
  • If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet
  • Please note: In cases where a size the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report.