Celestia is a blockchain network that introduces a modular approach to the design and functionality of blockchains. Unlike traditional blockchains that bundle consensus, data availability, and execution into a single layer, Celestia separates these functions to offer a more scalable and flexible infrastructure.
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/celestiaorg/celestia-core Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/celestia-app Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/celestia-node Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/go-header Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/rsmt2d Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/nmt Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/go-square Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/go-fraud Copy | Protocol | Critical | Bounty |
https://github.com/klauspost/reedsolomon Copy | Protocol | Critical | Bounty |
https://github.com/celestiaorg/blobstream-contracts Copy Blobstream | Other | Critical | Bounty |
Blobstream
⚠️Only the code that directly impacts the celestia protocol in the versions referenced in the go.mod of celestia-app and celestia-node are within scope. Whether or not an issue in this repo is within scope will be determined by the Celestia Foundation in its sole discretion.⚠️
Loss of User Funds
Consensus Violations
Liveness
Network DoS Attacks (Crash)
Network Partition
Supply Chain Attacks
DoS Attacks (Resource Exhaustion)
State Corruption
RPC DoS/Crashes
The following components are out of scope for the bounty program:
**For each bounty, 25% of the TIA will be unlocked and 75% will be locked for 12 months.
DO NOT CREATE A GITHUB ISSUE to report a security problem.
Instead please use the HackenProof bug bounty program. Provide a helpful title, detailed description of the vulnerability and an exploit proof-of-concept. Speculative submissions without proof-of-concept will be closed with no further consideration.
Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
Expect a response as fast as possible in the advisory, typically within 72 hours.
If you do not receive a response from HackenProof, send an email to [email protected] with the full URL of the advisory you have created. DO NOT include attachments or provide detail sufficient for exploitation regarding the security issue in this email. Only provide such details in the advisory.