[New Bug Bounty] Sui Wallet Has Launched Bug Bounty With Up to $30,000 Reward Per Critical Vulnerability

Alex Horlan
Head of Triage, HackenProof
2 Minutes Read

Meet Sui Wallet by Mysten Labs

At Mysten Labs, we are building critical infrastructure to enable a more decentralized internet.

Check Out The Rewards

If you find a vulnerability according to the bounty rules, Sui Wallet will reward you:

  • Critical: $10,000 – $30,000
  • High: $3,000
  • Medium: $2,000
  • Low: $1,000

Join The Bounty Hunt

There are Code and Web extension to scope!

Make sure your reports contain info about these incidents:

  • The funds being frozen or locked within the wallet, and otherwise irrecoverable
  • The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage
  • Entire set of accounts being irrecoverable using existing flows in the app.


  • Execution of unauthorized system commands
  • Retrieval of sensitive data/files from the server
  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:
  • Modifying user registration information
  • Altering NFT metadata
  • Seizing control of a subdomain through interaction with an already-connected wallet
  • Direct unauthorized access or theft of user funds
  • Malicious interactions with an already-connected wallet such as:
  • Changing transaction arguments or parameters
  • Substituting contract addresses
  • Submitting malicious transactions
  • Direct theft of user NFTs
  • Injection of malicious HTML or XSS through NFT metadata


  • Seizing control of a subdomain without interaction with an already-connected wallet.
  • Injection or modification of static content on the target application without the use of JavaScript (Persistent), which could include:
  • HTML injection devoid of JavaScript
  • Substitution of existing text with arbitrary content
  • Unrestricted file uploads, and more
  • Alteration of sensitive user details (including modifications to browser local storage) without interaction with an already-connected wallet and requiring only a single user interaction, which could include:
  • Changing a user’s email or password
  • Incorrect disclosure of confidential user information such as:
  • Email addresses
  • Phone numbers
  • Physical addresses


  • Injecting/modifying the static content on the target application without
  • Javascript (Reflected) such as:
  • Reflected HTML injection
  • Loading external site data
  • Redirecting users to malicious websites (Open Redirect)


  • Taking over broken or expired outgoing links such as Social media handles, etc.
  • Temporarily disabling user to access target site, such as:
  • Locking up the victim from login
  • Cookie bombing, etc

Once you’re ready, click here to join the bounty hunt!

Read more on HackenProof Blog