Avalanche Protocol: Program Info

Triaged by HackenProof
Avalanche

Ended 84 days ago

In Scope

Target Type Severity Reward
Protocol Critical Bounty
Protocol Critical Bounty
Protocol Critical Bounty

In-Scope Vulnerabilities

The list is not limited to the following submissions but it gives an overview of what issues we care about:

  • Stealing or loss of funds
  • Unauthorized transaction
  • Transaction manipulation
  • Price manipulation
  • Fee payment bypass
  • Balance manipulation
  • Violation of Avalanche tokenomics
  • Violation of the Avalanche consensus protocols (Avalanche and Snowman)
  • Privacy violation (below Bitcoin level privacy)
  • Cryptographic flaws
  • Remote panic over P2P-layer (NOT USING API AND NOT USING DENIAL-OF-SERVICE ATTACK)

Out-of-Scope Vulnerabilities

  • Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
  • Network-level Denial-of-Service (TCP/IP/P2P)
  • Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network

All rules in the General Program apply. In addition:

  • Don't violate the privacy of other users, destroy data, etc.
  • Don't defraud or harm Avalanche network or its users during your research; you should make a good faith effort not to interrupt or degrade our services.
  • Don't target the validators' physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDoS) attacks, etc.
  • Initially, report the bug only to us and not to anyone else.
  • Give us a reasonable amount of time to fix the bug before disclosing it to anyone else, and give us adequate written warning before disclosing it to anyone else.
  • In general, please investigate and report bugs in a way that makes a reasonable, good-faith effort not to be disruptive or harmful to our users or us. Otherwise, your actions might be interpreted as an attack rather than an effort to be helpful.
  • Perform testing on a private testnet whenever possible
  • If you discover a potential vulnerability on the production network (mainnet or public testnet), please attempt to validate the finding on a private testnet

Please note: In cases where the size of the reward exceeds an equivalent of 10,000 USD, Avalanche is entitled to make the payment in one-year locked AVAX at the rate calculated based on a weighted average price of AVAX during 90 calendar days preceding the date of the respective validated report