Bug bounty
Triaged by HackenProof

Sui Wallet: Program info

Sui Wallet

Company: Mysten Labs
This program is active now
Program infoHackers (8)

Mysten Labs welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets within the scope laid out below, we want to hear from you. All reports should be submitted with a valid proof of concept (PoC) and detailed steps for replication to be considered valid. Please test out attacks on Testnet to evaluate if there can be state changes to objects.

In scope
TargetTypeSeverityReward
https://chromewebstore.google.com/detail/sui-wallet/opcgpfmipidbgpenhmajoajpbobppdil?hl=en

Additionally, we consider infrastructure build around wallet (github, etc.) Other resources connected to Mysten Labs maybe considered on the severity basics.

Other
Critical
Bounty
https://github.com/MystenLabs/sui/tree/main/apps/wallet
Code
Critical
Bounty
Target
https://chromewebstore.google.com/detail/sui-wallet/opcgpfmipidbgpenhmajoajpbobppdil?hl=en

Additionally, we consider infrastructure build around wallet (github, etc.) Other resources connected to Mysten Labs maybe considered on the severity basics.

TypeOther
Severity
Critical
RewardBounty
Target
https://github.com/MystenLabs/sui/tree/main/apps/wallet
TypeCode
Severity
Critical
RewardBounty

Focus Area

Impact in Scope for Wallet

  • The funds being frozen or locked within the wallet, and otherwise irrecoverable
  • The funds being stolen by an attacker through leaking of the Secret Recovery Phrase or transactions specifically when visiting a webpage
  • Entire set of accounts being irrecoverable using existing flows in the app.

Critical

  • Execution of unauthorized system commands
  • Retrieval of sensitive data/files from the server
  • Performing state-altering authenticated actions on behalf of other users without their interaction, such as:
  • Modifying user registration information
  • Altering NFT metadata
  • Seizing control of a subdomain through interaction with an already-connected wallet
  • Direct unauthorized access or theft of user funds
  • Malicious interactions with an already-connected wallet such as:
  • Changing transaction arguments or parameters
  • Substituting contract addresses
  • Submitting malicious transactions
  • Direct theft of user NFTs
  • Injection of malicious HTML or XSS through NFT metadata

High

  • Seizing control of a subdomain without interaction with an already-connected wallet.
  • Injection or modification of static content on the target application without the use of JavaScript (Persistent), which could include:
  • HTML injection devoid of JavaScript
  • Substitution of existing text with arbitrary content
  • Unrestricted file uploads, and more
  • Alteration of sensitive user details (including modifications to browser local storage) without interaction with an already-connected wallet and requiring only a single user interaction, which could include:
  • Changing a user's email or password
  • Incorrect disclosure of confidential user information such as:
  • Email addresses
  • Phone numbers
  • Physical addresses

Medium

  • Injecting/modifying the static content on the target application without
  • Javascript (Reflected) such as:
  • Reflected HTML injection
  • Loading external site data
  • Redirecting users to malicious websites (Open Redirect)

Low

  • Taking over broken or expired outgoing links such as Social media handles, etc.
  • Temporarily disabling user to access target site, such as:
  • Locking up the victim from login
  • Cookie bombing, etc

OUT OF SCOPE:

  • Sui Explorer: Vulnerabilities within the Sui Explorer, including front-end and smart contract components
  • SuiFrens: This includes the website, infrastructure and smart contracts
  • SuiNS: This includes the website, infrastructure and smart contracts
  • Sui Kiosk and Kiosk Extensions: Code that implements royalty and other enforcements
  • Third-party Integrations: Vulnerabilities in services, platforms, libraries, or other components not directly controlled by Mysten Labs
  • Physical Security: Vulnerabilities that require physical access to a user's device or data center
  • Denial of Service (DoS) Attacks: While we are aware of the potential 

for DoS attacks, our focus is on vulnerabilities that could lead to unauthorized access or data leakage, so DoS attacks are out-of-scope
  • Version-specific vulnerabilities: Vulnerabilities that only exist in outdated versions of our products, smart contracts, or wallet extension
  • Clickjacking: User Interface redress attacks, also known as clickjacking
  • Tabnabbing
  • Best Practices: Failure to adhere to "Best Practices" or recommendations (i.e., CWE-200), unless a viable, concrete attack scenario is presented
  • Self-XSS: Self-Cross-Site Scripting vulnerabilities
  • Missing HTTP Security Headers: Unless you can demonstrate a concrete security risk, missing security headers will be considered out-of-scope and dismissed with prejudice
  • Expired SSL Certificates
  • Attacks requiring MITM or physical access to a user's device
  • Issues that require unlikely user interaction (e.g. entering their seed phrase into a form)
  • Open redirect - unless an additional security impact can be demonstrated
  • Any reports from Employees or recently hired auditors
  • Known Security Issues from previous reports or Audits set forth below.
  • zkLogin features

Program Rules

To maintain integrity, avoid potential conflicts of interest, and ensure an effective bug bounty program, the following restrictions apply:

  • Current employees, vendors (auditors), partners and contractors of Mysten Labs and Sui Foundation are not eligible to participate in the program.
  • Former employees and contractors of Mysten Labs and Sui Foundation, who ceased working with the aforementioned entities must wait 6 months from the last date of employment before being eligible to participate in the program.
  • Sanctioned individuals and/or organizations are not eligible to participate in the program.
  • These restrictions are put in place to ensure the objectivity of the program and to prevent any potential conflicts of interest.

Responsible Disclosure

If you find a security vulnerability, please submit it to us privately before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.

No Disruption

If you find a security vulnerability, please submit it to us privately (using the instructions below) before making it public. Rewards will not be awarded if a vulnerability is publicly disclosed first.

No Harm

Researchers must not exploit any vulnerability to access, modify, harm, or leak data that does not belong to them.

Avoid Compromosing Privacy

Testing should not compromise the privacy of any individual or entity.

Rewards

Our rewards for wallets and websites are based on severity per the Common Vulnerability Scoring Standard. Please note that these are general guidelines, and reward decisions are subject to the discretion of Mysten Labs.

Mysten Labs may change or modify the amounts or types of rewards and may remove or reallocate any rewards earned by any participant or elect not to provide any rewards to any participant for any reason.

Distribution of rewards will follow reward determinations made by Mysten Labs, and will be subject to successful completion of KYC process (details below). Payments will be denominated in SUI. U.S. persons will receive rewards denominated in USD.

Disclosure Guidelines

  • Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial is allowed for the moment.
  • Please do NOT publish/discuss bugs

Eligibility and Coordinated Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

  • You must be the first reporter of a vulnerability.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
  • You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractor.
  • ONLY USE YOUR HackenProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the point reproduction steps

Key Verifications

Upon validating a reported bug, we will notify you about the reward amount. Payouts will be processed following our KYC procedures. Please note that all researchers eligible for a reward will be required to go through KYC process.

The KYC process is necessary to prevent fraudulent activities and comply with international regulations. We ensure that all personal information collected during this process will be stored securely and used solely for the purpose of the KYC process.

During the KYC process, you may be asked to provide the following:

  • A government-issued identification document (Passport, National ID, or Driver's License)
  • Proof of address (Utility Bill, Bank Statement, or any official document showing your full name and address)

Failure to successfully pass the KYC process will result in the withholding of the bounty payout. We appreciate your understanding and cooperation in this matter

Safe Harbor Policy

When conducting vulnerability research, we consider research

conducted solely under this program to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith actions that would otherwise constitute hacking;
  • Authorized concerning any relevant anti-circumvention laws, 

and we will not bring a claim against you for circumvention of our technology controls;
  • Exempt from any restrictions in our Terms of Service (TOS) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.

Note that this section applies only to legal claims brought by Mysten Labs, and that this section does not bind independent third parties or law enforcement authorities.

Rewards
Range of bounty$1,000 - $30,000
Severity
Critical
$10,000 - $30,000
High
$3,000
Medium
$2,000
Low
$1,000
Stats
Total rewards0
Submissions15
Types
other
Project types
Wallet
Hackers (8) View all
Thak abhiram
2
Atharv Shejwal
3
Elena Matsuyama
4
Sourabh Mishra
5
SLA (Service Level Agreement)
Time within which the program's triage team must respond
Response TypeBusiness days
First Response0d
Triage Time0d
Reward Time3d
Resolution Time14d