[New Bug Bounty] Citrea Has Launched Bug Bounty With Up to $250,000 Reward Per Critical Vulnerability

Meet Citrea

Citrea is the first rollup that enhances the capabilities of Bitcoin blockspace with zero knowledge technology.

Check Out The Rewards

If you find a vulnerability according to the bounty rules, Citrea will reward you:

• Low: up to $1,000
• Medium: up to $3,000
• High: up to $25,000
• Critical: up to $250,000

Join The Bounty Hunt

There are 3 targets to scope:

• Blockchain/DLT
• Smart Contract
• Web & Mobile

Make sure your reports contain info about these incidents:

• Invalid state transition accepted as valid / consensus safety failure
• Bitcoin-anchoring verification failure
• Batch Proof break / bypass
• Light Client Proof split / inconsistent verification
• Reorg-handling bug (Bitcoin-side or Citrea-side) causing prolonged halt, inconsistent views, or unsafe rollback behavior
• Direct theft of user funds (including BTC/cBTC) via deposit/withdraw/verification bugs
• Direct loss of user funds (at-rest or in-motion)
• Permanent freezing of funds (including bridged funds/assets/messages) due to logic bugs (fixable by upgrade or not)
• Temporary freezing of funds
• Protocol insolvency
• Total network shutdown / critical components unable to operate (system smart contracts, sequencer, full nodes)
• Role-based access control / pausing logic vulnerabilities
• Unbounded gas/resource consumption causing severe degradation or halting of critical components (even without theft)
• Theft of gas
• Block stuffing for profit / griefing
• Large-scale griefing disrupting deposits/withdrawals (with no theft other than by the Aggregator)
• Bugs in layer 0/1/2 network code resulting in unintended smart contract behavior without direct funds at risk
• Clementine CLI bugs causing wallet loss, incorrect deposit address generation, or withdrawal losses
• Clementine presigning bugs causing operator reimbursement failures
• Clementine Tx Sender failures
• Retrieve sensitive data/files from a running server
• Taking down the application/website
• Taking state-modifying authenticated actions on behalf of other users without their interaction
• Wallet-drain class UI compromise / malicious interactions with an already-connected wallet
• Injecting or modifying static content on the target application (persistent)
• Misrepresentation of transaction data in official explorer/bridge views leading to loss-inducing actions
• Subdomain takeover without already-connected wallet interaction
• Open redirect
• Minor correctness issues with no meaningful economic/security impact (non-impactful correctness issues)

To increase your chances of finding a critical bug, read Citrea’s whitepaper here.

Once you’re ready, click here to join the bounty hunt!