Celestia: Program info

⚠️Only the code that directly impacts the celestia protocol in the versions referenced in the go.mod of celestia-app and celestia-node are within scope. Whether or not an issue in this repo is within scope will be determined by the Celestia Foundation in its sole discretion.⚠️

Vulnerability Categories

Critical: Up to $750k in TIA tokens

Loss of User Funds

• Theft of funds without user signature
• Loss of staking rewards (including, but not limited, to slashing or tombstoning) without validator signature
• Excludes censoring of validator signatures by a dishonest ≥1/3 of voting power
• Excludes network attacks on the validator’s node(s)
• Excludes consensus liveness violations (i.e. chain halts)

Consensus Violations

• Consensus safety violation (i.e. chain fork) with < 1/3 dishonest voting power, within the unbonding period
• Inclusion of valid transaction(s) with the out-of-spec side effect that allows minting of TIA or transferring locked, delegated, or staked TIA
• Acceptance by full nodes of a badly-encoded block

High: Up to $250k in TIA tokens

Liveness

• Consensus liveness violation (i.e. chain halt) with < 1/3 dishonest voting power

Network DoS Attacks (Crash)

• Crashing an arbitrary node with a single bounded-size message each (no more than maximum block size)
  • i.e. Remote resource exhaustion via non-RPC protocols such as exploiting a nil pointer dereference that can immediately halt a node without any automatic recovery

Network Partition

• Eclipse attack on an arbitrary node
  • Excludes network partitions that require control of the p2p network (including, but not limited to, control over a large number of p2p nodes) or underlying networking infrastructure (including, but not limited to, control of bootstrapper nodes)

Supply Chain Attacks

• Attacks that identify gaps in the implementation of Github security policies for managing releases of source code, pre-built binaries, or docker images, that allow downloading malicious code
• Excludes social attacks and phishing attacks

Medium: Up to $50k in TIA tokens

DoS Attacks (Resource Exhaustion)

• Remote resource exhaustion via non-RPC protocols.

State Corruption

• Inclusion of a valid transaction or blob that results in an EDS or data root that is not reconstructable

Low: Up to $10k in TIA tokens

RPC DoS/Crashes

• Remote resource exhaustion via RPC methods.

Out of Scope:

The following components are out of scope for the bounty program:

• Any DDoS attack
• Any metrics, logging, or tracing, such as Grafana, Prometheus, etc.
• Any infrastructure for running nodes
• Any encrypted credentials, auth tokens, etc. checked into version control
• Bugs in dependencies other than those explicitly listed. Please take them upstream!
• Attacks that require social engineering
• Attacks that require network partitions (but not network partitions themselves, see above)
• Attacks that require physical access
• Any asset whose source code does not exist in the in-scope repositories
• Any bugs caused by user, intentionally or by error

**For each bounty, 25% of the TIA will be unlocked and 75% will be locked for 12 months.

• When testing for possible bugs please adhere to the following:
• Stay within the defined scope of the program and only perform testing within the program scope.
• Do not damage or restrict the availability of products, services, or infrastructure
• Do not compromise any personal data
• Do not cause interruption or degradation of any service
• Don’t access or modify other user data, instead localize all tests to your accounts
• Do not test against mainnet, instead use testnets and local devnets
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• Do not use web application scanners for automatic vulnerability searching which generates massive traffic, as web properties are out of scope for this program.
• In that case where you find a vulnerability that qualifies for multiple categories/severities, please only submit it once for the highest category/severity, as we will only pay for the highest category/severity.
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized representative of the Celestia Foundation without appropriate permission
• In case that your findings is valid you will be asked for KYC verification to proceed with payments
• For more information, check: https://docs.celestia.org/