[New Bug Bounty] Celestia Foundation Has Launched Bug Bounty With Up to $750k In TIA Tokens Reward Per Critical Vulnerability

Meet Celestia

Celestia is the modular blockchain powering unstoppable applications with full-stack customizability.

Check Out The Rewards

If you find a vulnerability that fits the bounty rules,  you will be rewarded with TIA tokens, based on the severity of the issue:

• Critical: Up to $750,000 worth of TIA
• High: Up to $250,000
• Medium: Up to $50,000
• Low: Up to $10,000

For each bounty, 25% of the TIA will be unlocked and 75% will be locked for 12 months.

Join The Bounty Hunt

There are two asset types within the scope of this bounty:

• Protocol
• Blobstream

Make sure your reports include specific details about the issues to qualify for rewards. Below are the types of vulnerabilities to look for:

Critical Vulnerabilities

Loss of User Funds

• Theft of funds without a user’s signature.
• Loss of staking rewards (including slashing or tombstoning) without the validator’s signature.
  • Excludes censoring of validator signatures by a dishonest ≥1/3 of voting power.
  • Excludes network attacks on the validator’s node(s).
  • Excludes consensus liveness violations (i.e., chain halts).

Consensus Violations

• Consensus safety violations (e.g., chain forks) with <1/3 dishonest voting power, within the unbonding period.
• Inclusion of valid transactions with out-of-spec side effects that allow minting of TIA or transferring locked, delegated, or staked TIA.
• Acceptance by full nodes of a badly-encoded block.

High Vulnerabilities

Liveness Issues

• Consensus liveness violations (i.e., chain halts) with <1/3 dishonest voting power.

Network DoS Attacks (Crash)

• Crashing an arbitrary node with a single bounded-size message (no larger than the maximum block size).
  • This includes remote resource exhaustion via non-RPC protocols, such as exploiting a nil pointer dereference that can immediately halt a node with no automatic recovery.

Network Partition

• Eclipse attack on an arbitrary node.
  • Excludes network partitions that require control over the p2p network (including controlling a large number of p2p nodes) or underlying networking infrastructure (e.g., control over bootstrapper nodes).

Supply Chain Attacks

• Vulnerabilities in the implementation of GitHub security policies for managing releases of source code, pre-built binaries, or Docker images that allow downloading malicious code.
  • Excludes social engineering attacks and phishing.

Medium Vulnerabilities

DoS Attacks (Resource Exhaustion)

• Remote resource exhaustion via non-RPC protocols.

State Corruption

• Inclusion of a valid transaction or blob resulting in an EDS or data root that cannot be reconstructed.

Low Vulnerabilities

RPC DoS/Crashes

• Remote resource exhaustion via RPC methods.ʼ

Ready to Join the Bounty Hunt?

If you’re ready to contribute to Celestia’s security, dive into the bounty hunt and start submitting your reports.

👉 Join the Bounty Hunt Now!