Andrii Stepanov
Marketing Manager

Meet Celestia

Celestia is the modular blockchain powering unstoppable applications with full-stack customizability.

Check Out The Rewards

If you find a vulnerability that fits the bounty rules,  you will be rewarded with TIA tokens, based on the severity of the issue:

  • Critical: Up to $750,000 worth of TIA
  • High: Up to $250,000
  • Medium: Up to $50,000
  • Low: Up to $10,000

For each bounty, 25% of the TIA will be unlocked and 75% will be locked for 12 months.

Join The Bounty Hunt

There are two asset types within the scope of this bounty:

  • Protocol
  • Blobstream

Make sure your reports include specific details about the issues to qualify for rewards. Below are the types of vulnerabilities to look for:

Critical Vulnerabilities

Loss of User Funds

  • Theft of funds without a user’s signature.
  • Loss of staking rewards (including slashing or tombstoning) without the validator’s signature.
    • Excludes censoring of validator signatures by a dishonest ≥1/3 of voting power.
    • Excludes network attacks on the validator’s node(s).
    • Excludes consensus liveness violations (i.e., chain halts).

Consensus Violations

  • Consensus safety violations (e.g., chain forks) with <1/3 dishonest voting power, within the unbonding period.
  • Inclusion of valid transactions with out-of-spec side effects that allow minting of TIA or transferring locked, delegated, or staked TIA.
  • Acceptance by full nodes of a badly-encoded block.

High Vulnerabilities

Liveness Issues

  • Consensus liveness violations (i.e., chain halts) with <1/3 dishonest voting power.

Network DoS Attacks (Crash)

  • Crashing an arbitrary node with a single bounded-size message (no larger than the maximum block size).
    • This includes remote resource exhaustion via non-RPC protocols, such as exploiting a nil pointer dereference that can immediately halt a node with no automatic recovery.

Network Partition

  • Eclipse attack on an arbitrary node.
    • Excludes network partitions that require control over the p2p network (including controlling a large number of p2p nodes) or underlying networking infrastructure (e.g., control over bootstrapper nodes).

Supply Chain Attacks

  • Vulnerabilities in the implementation of GitHub security policies for managing releases of source code, pre-built binaries, or Docker images that allow downloading malicious code.
    • Excludes social engineering attacks and phishing.

Medium Vulnerabilities

DoS Attacks (Resource Exhaustion)

  • Remote resource exhaustion via non-RPC protocols.

State Corruption

  • Inclusion of a valid transaction or blob resulting in an EDS or data root that cannot be reconstructed.

Low Vulnerabilities

RPC DoS/Crashes

  • Remote resource exhaustion via RPC methods.ʼ

Ready to Join the Bounty Hunt?

If you’re ready to contribute to Celestia’s security, dive into the bounty hunt and start submitting your reports.

👉 Join the Bounty Hunt Now!