gno.land: Program info

Severity will be determined by NewTendermint based on vulnerability impact, likelihood or complexity of exploitation, and other factors. Researchers may use the Common Vulnerability Scoring System (CVSS) to assist in estimating severity when submitting reports. NewTendermint retains discretion to determine the final severity of an issue.

Some areas of gno.land that we believe researchers should pay particular attention to include:

Determinism in GnoVM

As a blockchain designed for deterministic execution, ensuring that the GnoVM executes contracts consistently across all nodes is crucial. Our goal is to eliminate non-deterministic components from Go, such as using AVL trees instead of Go maps. However, we may still have lingering issues that could lead to non-deterministic behavior. A prime example is the module within gnovm/pkg/gnolang/values_string.go, which should be carefully reviewed for any such issues.

Why this matters: Non-determinism can lead to chain halts or splits, which could be exploited by attackers.

Other GnoVM Challenges

Gno.land contributor Morgan has detailed some additional areas of concern of the Virtual Machine here: https://github.com/gnolang/gno/issues/2886#issuecomment-2400274812

Security in Realms (Smart Contracts)

Developers deploy smart contracts, called "Realms," to the chain. Malicious Realms could attempt to inject harmful content that could affect other users of the chain, particularly in the Render() function or supporting tools like Gnoweb, which displays Realms to end users.

Potential risk: Cross-site scripting (XSS) and other injection attacks.

Security Risks Found in Other Blockchain VMs

Many blockchain VMs, such as Ethereum’s EVM, have faced high-profile security issues. We expect that similar vulnerabilities could be targeted in the GnoVM, so it’s crucial to audit and mitigate these risks in advance.

Key Management (gnokey)

Although this is a lower priority than some previously mentioned, auditors will need to review the gnokey package, which handles key generation and signing, to ensure that security best practices are being followed; for example, ensure our Ledger hardware wallet integration with gnokey uses the correct build flags.

Reporting your vulnerability

• All bounty submissions must be accompanied by a Proof-of-Concept (PoC).
• Please ensure that your reports are comprehensive, including reproducible steps. Failure to provide detailed reports may render the issue ineligible for a reward.
• Please consider the attack scenario, exploitability, and impact of the bug.
• For vulnerabilities related to personally identifiable information (PII), please specify the type of PII exposed and appropriately redact PII data in your submissions.

Performing your research

• Hackers must not impact production systems in a negative way during testing
• Please submit only one vulnerability per report, unless chaining vulnerabilities is necessary to demonstrate impact.
• Rewards are reserved for the first reporter of an issue, and are not provided for duplicate findings. Duplication occurs when an issue has either been previously reported externally or identified internally. NewTendermint retains the decision whether to share details of a finding’s history with hackers reporting issues.
• A single bounty will be awarded for multiple vulnerabilities stemming from one underlying issue.
• Engaging in social engineering tactics such as phishing, vishing, and smishing is strictly prohibited.
• Researchers must make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of service. You should interact only with accounts you own.
• Make a good faith effort to avoid privacy violations, destruction of data and to only interact with accounts you own.

Out of scope vulnerabilities

The following activities are considered out of scope:

• Any activity that could lead to the disruption of service (DoS, DDoS). Issues concerning DoS may be submitted, but should not be tested in a fashion resulting in disruption of service.
• Attacks requiring MITM or physical access to a user's device.
• Issues that depend on third-party services or out of scope assets
• Issues that require unlikely user interaction

Ownership of Submissions

Intellectual Property Waiver: By submitting reports, findings, or any other materials ("Submissions") to the bounty program, the submitter acknowledges and agrees to waive any and all intellectual property rights, including but not limited to copyright, patent, and trademark rights, to the contents of the Submission. The submitter hereby grants NewTendermint a non-exclusive, perpetual, irrevocable, royalty-free, worldwide license to use, reproduce, modify, adapt, publish, translate, distribute, and display the Submission in any form or medium, whether now known or later developed, for any purpose related to the bounty program or otherwise.

Legal Responsibility for Submissions: The submitter represents and warrants that:

• The Submission is the submitter's original work, and the submitter has all necessary rights, permissions, and authority to submit the Submission to the bounty program.
• The Submission does not infringe upon or violate any intellectual property rights, privacy rights, publicity rights, or any other rights of any third party.
• The Submission does not contain any confidential or proprietary information belonging to any third party.
• The Submission does not contain any malicious code, viruses, or other harmful components.
• The Submission does not violate any applicable laws, regulations, or ethical standards.
• The Submission does not contain any false, misleading, or deceptive information.

Indemnification: The submitter agrees to indemnify, defend, and hold harmless NewTendermint, its affiliates, directors, officers, employees, agents, and representatives from and against any and all claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: Any breach or alleged breach of the bounty policy by the submitter. Any third party claim that the Submission or the use of the Submission by NewTendermint infringes upon or violates any intellectual property rights, privacy rights, publicity rights, or any other rights of any third party. Any other act or omission of the submitter in connection with the bounty program.

Safe Harbor: NewTendermint welcomes responsible testing and disclosure practices from the security research community. Any activities conducted in a manner consistent with this policy will be considered authorized conduct and NewTendermint will not initiate legal action against those researchers. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Your effort in keeping the Cosmos ecosystem safe is highly appreciated!

• Please refrain from discussing this program or any identified vulnerabilities, including resolved ones, outside of the program without explicit consent from NewTendermint.
• We expect all researchers to adhere to the disclosure protocols of the bug bounty platform.

Policy

NewTendermint appreciates the time and assistance of security researchers in securing the applications we contribute to.

This policy shall be governed by and construed in accordance with applicable laws and regulations, without giving effect to any principles of conflicts of law. Any dispute, controversy, or claim arising out of or relating to this policy or the breach, termination, enforcement, interpretation, or validity thereof, including the determination of the scope or applicability of this agreement to arbitrate, shall be resolved by binding arbitration in Los Angeles, California, or another location mutually agreed to by the parties. The arbitration shall be administered by ADR Services, Inc. (“ADR Services”) and held before a sole arbitrator. The arbitration shall be binding with no right of appeal. By participating in the bounty program, the submitter agrees to be bound by this policy. NewTendermint reserves the right to modify or update this policy at any time without prior notice. It is the submitter's responsibility to review the policy periodically for any changes.

Rewards paid under this program are subject to certain legal requirements and limitations.

AML/KYC Requirements

Know-Your-Customer (KYC) Verification: Submitters participating in the bug bounty program must undergo a Know-Your-Customer (KYC) identity verification process. This process can be completed either through NewTendermint or through the third-party bounty platform where applicable. KYC verification is necessary to ensure the authenticity of submitters and their eligibility to receive bounty rewards.

Prohibited Jurisdictions: Individuals domiciled in prohibited jurisdictions as defined by OFAC and FATF regulations are ineligible to participate in the bug bounty program.

Eligibility Verification: The identity verification process will verify that submitters are legally eligible to receive bounty rewards. This includes ensuring that submitters are not, for example, legally sanctioned entities or otherwise prohibited from participating in such programs under applicable laws and regulations.

Age Requirement: Submitters must be of legal age to participate in the bug bounty program and receive rewards based on their local jurisdiction. Any submitter found to be underage will be disqualified from participating and receiving rewards.

Compliance with Applicable Laws: Submitters are responsible for ensuring compliance with all applicable laws, regulations, and legal requirements. Any violation of laws or regulations during the submission process will result in disqualification from the bug bounty program and forfeiture of any rewards.

Accuracy of Information: Submitters are required to provide accurate and truthful information during the identity verification process. Any falsification or misrepresentation of identity or information will result in immediate disqualification from the bug bounty program and may lead to legal action.

Confidentiality: All information collected during the identity verification process will be kept confidential and used only for the purpose of administering the bug bounty program. Personal information collected by NewTendermint will be handled in accordance with NewTendermint’s privacy policy and applicable data protection laws.

Exclusion of Employees and Immediate Family Members: Submitters participating in the bug bounty program must not be employees of NewTendermint or affiliated group companies or their immediate family members. This exclusion is implemented to prevent conflicts of interest, unfair advantages, or manipulation of the bounty program. Immediate family members include spouses, domestic partners, parents, siblings, children, and any other relatives residing in the same household as NewTendermint employees.

Declaration of Affiliation: Submitters are required to declare any affiliation or relationship with NewTendermint or its employees that may present a conflict of interest. Failure to disclose such affiliations may result in disqualification from the bug bounty program and forfeiture of any rewards.

Fairness and Integrity: NewTendermint is committed to maintaining the fairness and integrity of the bug bounty program. Any attempt to manipulate or exploit the program, including by employees or their immediate family members, will result in immediate disqualification and may lead to further disciplinary action.

Reporting Violations: Participants are encouraged to report any suspected violations of this policy, including instances of employee or family member involvement, to the bug bounty program administrators for investigation and appropriate action.

NewTendermint reserves the right to verify the identity of submitters at any time during the bug bounty program and to take appropriate action, including disqualification and legal action, against any submitter found to be in violation of these identity verification requirements.