Mina Protocol is the base layer for the private, provable web, enabling programmable zero-knowledge proofs for applications like verifiable credentials, secure voting, and scalable gaming.
Join us in testing some of the key tools in the most advanced ZK ecosystem including bridges, oracles, and the Mina base layer. Your expertise is invaluable in enhancing security and making blockchain verifiable and accessible for all.
Please kindly review the program details below. By participating in the program, you agree to be bound by the terms as set forth below and the Privacy Policy. The Mina Foundation is committed to protecting and respecting your privacy. To understand more about how they process your personal data please visit the following link: https://www.minafoundation.com/privacy-policy
Target | Type | Severity | Reward |
---|---|---|---|
https://github.com/MinaProtocol/mina Copy Copied Mainnet: https://github.com/MinaProtocol/mina Devnet: https://github.com/MinaProtocol/mina/releases | Protocol | Critical | Bounty |
https://github.com/openmina/openmina Copy Copied Mina Rust Node Implementation | Protocol | High | Bounty |
Mainnet: https://github.com/MinaProtocol/mina Devnet: https://github.com/MinaProtocol/mina/releases
Mina Rust Node Implementation
NOTE! Mina is entitled to make payments in MINA tokens
Known Vulnerabilities Check out this github page for list of known and submitted issues on the Mina Protocol: https://github.com/MinaProtocol/mina/issues
Technical docs To best understand how to get started on Mina, documentation can be found here: https://docs.minaprotocol.com
Protocol focus areas -Chain Quality Attack Additional Information: Any activity which may lower the chain quality (minwindowdensity) of the chain the network converges on would reduce the honest stake assumption required to perform a long fork attack against our blockchain. We want to discover any behavior which can trigger a reduction in the density of blocks produced on the main chain of the network.
-Lowering the Honest Stake Assumption Additional Information: Our honest stake assumption with our current parameters is 65%, so an adversary needs >35% of the network’s supply in order to break that assumption and execute attacks which manipulate the chain. Exempting the above chain quality attack, we want to find any activity which may lower the honest stake assumption, including (but not limited to): temporary manipulatable network partitions, block production/receipt denials, and gossip network inconsistencies.
-Transaction/Snark Work Selection Manipulation Additional Information: We’d like to discover any ways in which a node can manipulate the selection of transactions/snark work for inclusion in blocks in a way where the block producer is not making choices that are in their economic incentive. As an example of this kind of an attack: “there is a way to make a block producer select a piece of snark work you created over another piece of work which would have cost less to a block producer”.
-DDoS (RPC DDoS, Peer ID spam, transaction/snark work spam) Additional Information: Given the severity of DDoS attacks, we’d only like for you to describe the (theoretical) way/scenario in which such an attack could happen. Once the MIna Foundation engineering team reviews your submission, we might invite you to try to attack the network in actuality – please wait for permission from us prior to attack of the network.
-Bootstrap Attacks Additional Information: We’d like to avoid instances in which an adversary could fool a bootstrapping node to bootstrap to a malicious chain, and not the main chain. We’d also like to make sure that an adversary is not able to cause a synchronized node to enter bootstrap by sending it messages as opposed to eclipsing it and waiting for time to pass.
-Eclipse Attack Additional Information: We’d like to discover instances in which an adversary could separate a node from the rest of the network or could trick a node into thinking that a handful of nodes are a good representation of the network when they’re really not.
-Consensus attacks (long fork attack, epoch seed manipulation) Additional Information: We're interested in vulnerabilities that could result in consensus attacks. These could take on several forms, including:
-Corrupt Messages Additional Information: We want to make sure that the network is resilient against corrupt messages. For example:
Know-Your-Customer (KYC) Verification Submitters participating in the bug bounty program must undergo a Know-Your-Customer (KYC) identity verification process. KYC verification is necessary to ensure the authenticity of submitters and their eligibility to receive bounty rewards.
To participate in this program, you must:
For more questions on our program rules, please join our Discord server #bug-bounty-support channel to ask any questions you might have.
The Foundation can cancel the program at any time. Awards are at the sole discretion of the Foundation. All Bug Bounty awards are subject to compliance with local laws, rules, and regulations. We are not able to issue awards to individuals or entities who are on sanctions lists or who are in countries on sanctions lists. You are responsible for all taxes payable in connection with the receipt of any rewards. All rewards are subject to the laws of Switzerland.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy. However, this does not give you permission to act in any manner that is inconsistent with the law or might cause the Foundation to be in breach of any of its legal obligations. Further, your testing must not violate any law or compromise any data or funds that are not yours. We understand that some systems and services may be interconnected with those of third parties. While we can authorize your research for the Foundation under the scope of this program, we cannot authorize efforts on third-party products or guarantee they won’t pursue legal action against you.