Status DataClose notification
Audit program
Triaged by HackenProof

Push Chain L1 DualDefense Audit: Program info

Push Chain L1 DualDefense Audit

Company: Push Chain
50 reputation points required KYC required POC required $5 submission fee
Live
Contest is active now
Program infoHackers (33)Reports

Push Chain is a shared-state Layer 1 that brings together Cosmos-style blockchain infrastructure with full Ethereum app compatibility, so developers can build in familiar tools while the chain coordinates activity across networks. Rather than connecting chains one bridge at a time, Push acts as a central hub where cross-chain actions are observed, agreed on, and executed—enabling universal applications that can reach users and assets on many chains from one place.

In scope
TargetTypeSeverity
https://github.com/pushchain/push-chain-node/tree/0648551281dada6e300f51baca0e7464cb210eef/x
copy
Copy
success Copied

Final commit: 0648551

  • UExecutor (x/uexecutor/)
  • URegistry (x/ueregistry/)
  • UValidator (x/uvalidator/)
  • UTSS (x/utss/)
  • Custom Precompiles (precompiles/)
  • EVM Customizations (app/ante/)
Protocol
Critical
https://github.com/pushchain/push-chain-node/tree/0648551281dada6e300f51baca0e7464cb210eef/universalClient
copy
Copy
success Copied

Final commit: 0648551

  • Universal Client
Protocol
Critical
https://github.com/pushchain/push-chain-evm/tree/96231e7
copy
Copy
success Copied

Final Commit: 96231e7

  • push-chain-evm
Protocol
Critical
Target
https://github.com/pushchain/push-chain-node/tree/0648551281dada6e300f51baca0e7464cb210eef/x
copy
Copy
success Copied

Final commit: 0648551

  • UExecutor (x/uexecutor/)
  • URegistry (x/ueregistry/)
  • UValidator (x/uvalidator/)
  • UTSS (x/utss/)
  • Custom Precompiles (precompiles/)
  • EVM Customizations (app/ante/)
TypeProtocol
Severity
Critical
Target
https://github.com/pushchain/push-chain-node/tree/0648551281dada6e300f51baca0e7464cb210eef/universalClient
copy
Copy
success Copied

Final commit: 0648551

  • Universal Client
TypeProtocol
Severity
Critical
Target
https://github.com/pushchain/push-chain-evm/tree/96231e7
copy
Copy
success Copied

Final Commit: 96231e7

  • push-chain-evm
TypeProtocol
Severity
Critical

Focus Area

IN-SCOPE: L1 VULNERABILITIES

A critical vulnerability is defined as a vulnerability with both high likelihood and high impact.

High likelihood:

  • The attack can be executed without requiring privileged roles, although it may involve a mechanism that allows the attacker to gain control over a privileged entity and exploit that power if the vulnerability permits privilege escalation.
  • It does not require a significant token balance or substantial funding.
  • It does not demand considerable computational resources or extended time.

High impact:

  • Vulnerabilities that result in a complete breakdown or significant disruption of the network, including any of the following:
    • Widespread node crashes.
    • Denial-of-service attacks that, while not necessarily causing nodes to crash, could overload them to the point where they cannot participate in the network.
    • Inability to process and finalize new transactions.
  • Direct theft or loss of a substantial amount of funds, or permanent freezing of funds.
  • Vulnerabilities that disrupt the consensus mechanism, enabling an attacker to gain control over a majority of nodes and maintain full control over block rejection, approval, and finalization.

OUT OF SCOPE: L1 VULNERABILITIES

  • All other issues not mentioned “IN SCOPE” area

Program Rules

Only critical vulnerabilities that could lead to the loss of user funds or the permanent lock of funds are eligible for rewards.

  • The company is not obliged to pay for "Low"-"High" severity issues. Only "Critical" issues are under the scope. However, the team may, at its discretion, accept the report and pay the bonus, the reward will not be a part of the bounty pool.
  • The total bounty pool is $70,000 in HAI tokens. The maximum reward per single critical vulnerability is capped at $15,000
  • Perform testing only within the scope
  • Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission
  • All communication regarding the program must take place exclusively through the HackenProof platform. Contacting the project team directly through support channels, social media, or any other external communication channels is strictly prohibited. Researchers who violate this rule may be disqualified from the program and may face account suspension.
  • Each vulnerability must have a fully working Proof of Concept (PoC) attached to the report at the time of submission. Submissions missing a valid POC will be closed and may result in a reputation point penalty.
  • Each vulnerability must have a significant, implicit high likelihood of exploitation.
  • Each vulnerability must include a suggested fix or mitigation strategy at the time of submission of the report
  • Human-based errors and rogue privileged users are considered to be not valid vulnerabilities or risks.

Fail to comply with these rules may result in the closure of your report, loss of reputation points, and ban from future participation in the contest

A critical vulnerability is defined as a vulnerability with both high likelihood and high impact.

Reward Distribution:

  • The reward will be distributed in HAI tokens. For that you will need to provide in your account your HAI wallet address so we can arrange the transaction.

Clear wording:

  • Bounty pool — total amount of reward in the DualDefense Audit ($70,000 in HAI tokens).
  • Allocated bounty — amount of reward for each unique critical vulnerability, capped at $15,000 in HAI tokens.
  • Each unique critical vulnerability is allocated up to $15,000 from the bounty pool.
  • If 5 or more unique criticals are reported, the $70,000 pool is split equally among all unique issues.

Example: If there are 3 unique critical vulnerabilities, each is allocated up to $15,000. If multiple researchers report the same vulnerability, the $15,000 for that issue is split equally among them.

How rewards scale:

  • 1 critical — up to $15,000
  • 2 criticals — up to $30,000
  • 3 criticals — up to $45,000
  • 4 criticals — up to $60,000
  • 5+ criticals — the $70,000 pool is split equally among all unique critical issues reported

Single Valid Submission

If a critical vulnerability is found by only one participant, that reporter receives 100% of the allocated bounty for that issue (up to $15,000).

Duplicate Submissions

If multiple participants find the same vulnerability, the $15,000 allocated for that issue is divided equally among all reporters. Example: If 4 researchers report the same critical, each receives $3,750.

Multiple Unique Submissions

  • Each unique critical vulnerability is allocated up to $15,000 regardless of how many other unique issues are reported (up to 4 criticals). For 5+ unique criticals, the $70,000 pool is split equally. Example: If 2 unique criticals are found by different researchers, each receives $15,000.

For any questions regarding the program, feel free to reach out in our DualDefense Support Request.

[DISCLAIMER] The reward amount will be denominated in HAI tokens which are staked in FlashPool, due to market volatility, the final USD amount may differ from the one stated in the rules.

HackenProof is entitled to 10% of rewards as the fee for the triage and other services‼️

Disclosure Guidelines

Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization

  • No vulnerability disclosure, including partial is allowed till the end of FlashBounty Audit contest.
  • Please do NOT publish/discuss bugs
  • Researchers must not contact the project team directly regarding any findings, questions, or bounty-related matters. All communication must be conducted through the HackenProof platform only.

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve our security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • Provide detailed but to-the point reproduction steps
  • AI-generated reports without runable PoC are not accepted under this program.

Last audit

Hacken - April 2026

Assets in Scope

push-chain-node (x/)

Final Commit: 0648551

- UExecutor (`x/uexecutor/`)
- URegistry (`x/ueregistry/`)
- UValidator (`x/uvalidator/`)
- UTSS (`x/utss/`)
- Custom Precompiles (`precompiles/`)
- EVM Customizations (`app/ante/`)

push-chain-node (universalClient/)

Final Commit: 0648551

- Universal Client

push-chain-evm

Final Commit: 96231e7

- push-chain-evm
Duration
Start date13 Jul 2026
End date02 Aug 2026
Rewards
Range of bounty$0 - $70,000
Severity
Critical
$0 - $15,000
High
$0
Medium
$0
Low
$0
Stats
Scope Review2069
Submissions62
Total rewards$0
Types
blockchain
Languages
Go
Project types
L1/L2
Hackers (33) View all
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response20d
Triage Time20d
Reward Time22d
Resolution Time22d