'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Bug bounty 
Aptos is a next-generation Layer 1 blockchain. Aptos’ breakthrough technology and programming language, Move, are designed to evolve, improve performance and strengthen user safeguards.
The Aptos Foundation ("Aptos", "we", or "us") welcomes feedback from security researchers and the general public to help improve the security of the Aptos Network, and, at its sole discretion, offers bounty rewards ("Rewards") for security reports that identify previously unknown, in-scope security vulnerabilities.
| Target | Type | Severity | Reward |
|---|---|---|---|
https://github.com/aptos-labs/keyless-zk-proofs  Copy  Copied | Code | Critical | Bounty |
Copied Focus Area
Keyless
Keyless accounts on the Aptos blockchain enable account management using OpenID Connect (OIDC) identities (e.g., Google or Apple accounts) rather than traditional cryptographic keys.
Keyless accounts leverage OIDC protocols and zero-knowledge proofs (ZKPs) to provide a secure mechanism for account authentication and transaction signing without directly exposing or requiring cryptographic key handling by users. This approach is designed to maintain security and privacy while simplifying integration with existing identity providers.
For a broad overview of how keyless accounts work, see our zkSummit'11 Aptos Keyless slides and video.
For a more detailed view, refer to our "How keyless works" documentation.
For an in-depth view, see the initial Aptos Improvement Proposals (AIPs) describing keyless:
- AIP-61: Keyless accounts
- AIP-67: JWK consensus
- AIP-75: Prover service
- AIP-81: Pepper service - AIP-96: Federated Keyless has been deployed
- AIP-108: "Audless" Federated Keyless will be deployed in the future
Components
The discussion below assumes some familiarity with how keyless works.
ZK circuit
Keyless accounts leverage a ZKP to prove the satisfiability of a complex relation, dubbed “the keyless relation” (see AIP-61). However, state-of-the-art ZKPs with efficient verifiers and practical proving times require the relation to be described as a so-called rank-1 constraint system (R1CS). This requires implementing the keyless relation in a domain-specific language (DSL) that compiles down to R1CS (e.g., circom).
Pepper service
Keyless blockchain addresses are cryptographic commitments to the user’s OIDC identity (e.g., their email address) and the application’s identity (e.g., the OAuth client_id). To ensure these commitments are hiding, they are blinded using a random blinding factor, called a pepper.
Since the goal of keyless accounts is for users to not have to remember anything, a pepper service (AIP-81) helps users remember their pepper. Specifically, users can authenticate to this service (also) using a valid JWT and the service can (re)compute their pepper for them.
Prover service
The Aptos Keyless deployment includes a prover service (AIP-75) that helps users quickly compute their ZKPs, which are necessary to transact.
The prover service helps users maintain privacy from the blockchain, since the ZKP leaks nothing about the user-and-application identifiers, nor the pepper.
Currently, the user does not maintain their privacy from the prover service, which does learn the user-and-application identifiers and the pepper.
Training wheels (TW)
Training wheels (TW) mode (AIP-61, AIP-75) is a security extension which is currently enabled on the ZK prover service to mitigate against bugs in the ZK circuit implementation.
When enabled, all keyless transactions are required to have a training wheels signature over their ZKPs from the prover service. This ensures that the prover service always verifies the keyless relation manually before computing a ZKP, thereby vouching for the existence of a valid witness and thus preventing attackers from exploiting ZK circuit bugs by constructing a malicious witness.
If the prover service is offline with the training wheels feature enabled, then users with expired ZKPs could temporarily lose access to their keyless accounts.
Threat Model
Definitions
Integrity: Guarantees that only the owner of the OIDC account behind a keyless account can transact on behalf of that keyless account.
Privacy: Privacy guarantees are two-fold.
On one hand, when keyless users sign into their OIDC accounts, a passive OIDC provider (e.g., Google) must not learn the user's keyless blockchain address nor their transaction activity.
On the other hand, a user’s keyless transaction should not leak the user's OIDC identifier (e.g., the JWT’s sub or email) nor the application's identifier. Naturally, this presumes that the application cannot be implicitly-identified from the transaction payload (e.g., the Move contracts being called).
Availability: Availability guarantees that the owning user of a keyless account can always transact and access their account, of course under the assumptions that (1) the OIDC provider is online, (2) the blockchain is live and, if training wheels are on, (3) the prover service is online.
Attacks
Assuming that (1) the keyless validation logic on the blockchain is sound and (2) the MPC ceremony for the ZKP has been done securely, our discussion focuses on what can go wrong in any of the following:
- the ZK circuit
- the pepper service
- the prover service
- the training wheels mode
To compromise a keyless account, an attacker must do all of the following:
- identify a soundness bug in the ZK circuit such that an attacker can create a proof for a statement without possessing a valid witness for the keyless relation (see AIP-61)
- depending on the circuit soundness bug, the attacker may also need to exfiltrate the victim user’s pepper
- e.g., the ZK bug may be such that the witness still needs to contain the correct pepper
- identify a bug in the training wheels (TW) protection implemented on the prover service
- e.g., exfiltrate the TW SK, or trick the prover service into providing a training wheels signature over a forged ZKP
To break privacy, an attacker must do any of the following:
- obtain the victim user's peppers
- e.g., exfiltrate the SK of the pepper service
- identify a bug in the prover service such that the ZKP ends up leaking information about the secret witness
- e.g., force the service to always use the same randomness when computing proofs
- e.g., gain read-only access to the prover service’s memory and dump all proving requests and their secret witnesses
Notes on the pepper service
The pepper service is trusted to secure its secret key. Otherwise, an attacker in possession of this key can unblind keyless addresses by brute forcing their otherwise low-entropy user identifier and application identifier.
The pepper service is NOT trusted for security of the keyless account. In other words, a malicious pepper service on its own cannot take over a user's keyless account (i.e., not without exploiting a circuit bug and breaking the training wheels). For example, while the pepper service receives a user's JWT in order to authenticate the user before giving them their pepper, it does NOT receive the user's ephemeral secret key (ESK) and therefore cannot steal the user's keyless account.
However, currently, the pepper service is trusted with privacy. For example, the pepper service could perform the brute-forcing attack described above and unblind keyless addresses. But, it is (for now) trusted not to.
As is, the pepper service incidentally happens to serve as an additional layer of security against a large class of soundness bugs in the ZK circuit implementation. For example, even if an attacker can forge a ZKP without having a valid JWT for a keyless address, the attacker would still need the victim user's pepper, which it can only get from the pepper service in exchange for a valid JWT, which it does not have.
Notes on the prover service with training wheels enabled
The prover service is trusted to secure its training wheels secret key (TW SK). Otherwise, an attacker who is in possession of this key and identified a circuit soundness bug may be able to steal user funds (depending on whether the soundness bug affects the keyless address derivation from the pepper).
The prover service is trusted with privacy. The prover service receives the user's secret witness (e.g., the JWT, the pepper), learning who the user is and which keyless dapp they are using. For now, the prover service is trusted to not reveal this information.
Rewards
Rewards are calculated based on the severity of the impact that the identified vulnerability would have on Aptos Keyless users. The following severity classifications include sample impacts per criticality, and potential Reward ranges. Aptos Foundation retains sole discretion to determine the severity classification of reported vulnerabilities and the amount of any Reward.
Critical
- Account compromise / loss of funds: up to $1,000,000
High
- Bypassing Training Wheels, enabling fraudulent zero-knowledge proofs (ZKPs) to be accepted without proper validation: up to $100,000
- Exploiting a ZK circuit vulnerability, allowing incorrect proof generation: up to $50,000
- Compromising the pepper service’s secret key, allowing attackers to deanonymize keyless users or link them to blockchain addresses: up to $50,000
Medium
- Leak of peppers for registered user(s) on-chain: up to $10,000
- Denial-of-service (DoS) attack on the prover service, preventing keyless users from generating valid ZKPs for transactions: up to $5,000
If you identify a security vulnerability impacting Aptos Keyless that does not fall under any of the above categories, we encourage you to report it for further analysis and we will consider a Reward as appropriate and within our sole discretion. Security issues impacting the Aptos Keyless having a root cause in external code dependencies are also in-scope for the program.
Program Rules
To be eligible for a Reward, you are required to:
- Play by the rules, including following these Rules and any other relevant agreements. If there is any inconsistency or conflict between these Rules and any other applicable terms, the applicable terms of these Rules will prevail;
- Submit an in-scope vulnerability as detailed above;
- Include detailed information and clear steps to reproduce the issue. Vulnerabilities must be reproducible using the code currently in scope for the Program, based on the current mainnet configuration, and must affect features that are either enabled or are set to be enabled via a governance proposal;
- Avoid any testing on live systems serving mainnet, testnet or devnet; all testing must be done locally;
- Report any vulnerability within 24 hours from discovery;
- Avoid disrupting our systems, destroying data, and/or harming users;
- Only use this platform to report and discuss vulnerability information with us;
- Provide us a reasonable amount of time to resolve the issue;
- Limit the data you access to the minimum required to effectively demonstrate a Proof of Concept in circumstances where a vulnerability provides unintended access to private data or secrets;
- Vulnerabilities based on social engineering or network Denial of Service (DoS) attacks are considered out of scope and are not eligible for Rewards under this program;
- Not engage in extortion.
Duplicate Reports
Rewards for duplicate reports will be split among reporters with first to report taking priority using the following equation:
R: total reports
ri: report priority
bi: bounty share
bi = 2 ^ (R - ri) / ((2 ^ R) - 1)
Where report priority derives from the set of integers beginning at 1, where the first reporter has ri = 1, the second reporter ri = 2, and so forth.
Note, reports that come in after the issue has been fully triaged and resolved will not be eligible for a Reward..
Disclosure and guidelines
Do not discuss or disclose any vulnerabilities, even resolved ones, outside of this Program without the Aptos Foundation’s written consent.
Eligibility and Coordinated Disclosure
You ARE NOT eligible to participate in the Program if you are:
- A "Restricted Person" as defined in the Aptos Foundation Terms of Use. To receive a Bounty, you will be required to complete an identity verification process to confirm that you are not a Restricted Person.
- Under the age of 16. If you are at least 16 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program.
- Currently an employee or provide services to the Aptos Foundation or are a former employee or provided services to the Aptos Foundation within the last 12 months of your submitted security report.
- Employed by an entity that does not allow you to participate in the Program.
To receive a Reward, you will have to enter into an Agreement with Aptos Foundation and provide required information, which may include identity verification information and tax information or forms, such as a W-9 or W-8 for U.S. residents or citizens.
Rewards are managed by Aptos Foundation and are denominated in United States Dollars (USD). Rewards may be paid partially or fully in digital assets at the sole discretion of Aptos Foundation. If you receive digital assets as part of your Reward, the value of the digital assets in USD will be determined at the time you execute your Agreement with Aptos Foundation and after you have satisfied all eligibility criteria. Token-based rewards may be subject to a lock-up period.
Getting Started
Rewards '%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats 
Types'%3e%3cpath%20d='M16%208.10685L12.0364%2013.0212L10.5818%2012.0459L13.7745%208.10685L10.5818%204.16784L12.0364%203.19254L16%208.10685ZM5.69273%204.16784L3.96364%203.19254L0%208.10685L3.96364%2013.0212L5.69273%2012.0459L2.5%208.10685L5.69273%204.16784ZM5.5%2015.1069L7.23091%2015.6069L10.9909%201L9.26%200.5L5.5%2015.1069Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2689_5375'%3e%3crect%20width='16'%20height='16'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Languages
Project types
Hackers (6) View all
