Flow is a decentralized platform that anyone can access, everyone can trust, and no-one can censor or block. Flow is the future.
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/onflow/flow-go/tree/b06c18e6c33e6d6ebb346fe67889df7168a5f1a4 Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/crypto/tree/66aafb1becda2147a6afb48ee3176d9d2247eb3a Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/cadence/tree/60e6c727c55b5e90a5377a9453003d2859a45b1e Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/atree/tree/65ef01bba1413e270c80343ab7e27041e177456e Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/ccf/tree/03f3868aa96a2135ba238b5fc9067c56b55e396d Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/flow-core-contracts/tree/81b89f94c10988d4194fddbff137ac6798adc57b Copy | Smart Contract | Critical | Bounty |
https://github.com/onflow/flow-evm-bridge/tree/b32c787631c9c84c548b2e414d87b49fa32b12d8 Copy | Smart Contract | Critical | Bounty |
The following defines the rewards for Flow protocol and cadence:
Severity: Critical Reward: $100,000 USD Criteria:
Severity: High Reward: $50,000 USD Criteria:
Severity: Medium Reward: $10,000 USD Criteria:
Severity: Low Reward: $1000 USD Criteria:
To qualify for a reward, the vulnerability must fall within our Assets In Scope, comply with our Responsible Disclosure Guidelines, and meet the following criteria:
Flow was built from the ground up with security in mind. Our code, infrastructure, and development methodology help us keep our users safe.
We appreciate and encourage the security researcher community to report potential vulnerabilities in our assets.If you identify a vulnerability, please notify us using the following guidelines.
Things To Do:
Things Not To Do:
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
Flow Protocol Exclusions: Flow ecosystem is working on progressively decentralizing the network by hardening the protocol level security and introducing permissionless nodes. For this reason, Flow still relies on protocol-compliant nodes and bounties are limited to permissionless node types. Only attacks originating from Access and observer nodes will qualify.
Protocol-level vulnerabilities which are only exploitable through the control of Collection, Consensus, Execution or Verification nodes are excluded.
Web Application Exclusions: The following web application vulnerabilities are excluded from this program:
The Crescendo upgrade introduces major performance upgrades and full EVM equivalence. Here are the key areas that underwent significant changes, and potential bugs that could arise.
Discover Cadence source code and Flow node software source code.
1. Cadence language
2. Cadence contract update mechanism
3. Cadence & EVM runtime environment Privilege elevation/bypassing sandbox protections for file system access controls, services/processes, and restricted memory access.
For example:
4. Privilege elevation/escalation/unauthorized access
5. EVM gateaway
6. Onchain data