Walrus Smart Contracts: Program info

The Walrus Bug Bounty Program is designed to encourage security researchers to help identify vulnerabilities that might affect the security, reliability, and economic integrity of the Walrus decentralized storage protocol. Walrus leverages advanced two‐dimensional erasure coding (“Red Stuff”), a Sui-based control plane for node lifecycle and blob management, and an economic model based on staking and governance. Given that data integrity and correct fee enforcement are central to its operation, vulnerabilities that allow unauthorized deletion of data or enable storage for fees disproportionately are considered the most Critical.

Smart Contracts & On-Chain Logic: Sui smart contracts governing blob registration, storage resource management, shard migration, and staking/governance functions. Core Protocol Components: The implementation of the “Red Stuff” encoding/decoding algorithms and associated data commitment mechanisms.The availability certificate generation and verification process.

DoS on Client Interfaces/APIs:

• Public APIs of aggregator and publisher

Economic and Incentive Mechanisms:

• The pricing and payment mechanisms for storage and write operations.
• Mechanisms enforcing fee payments (including those that ensure users cannot “pay zero” or abnormally low fees).

Reward size for Smart Contracts

Critical

• Stealing of funds such as accumulated rewards that are stored in Walrus contracts for values greater than $100,000 in notional value.

High

• Data Loss/Deletion:
• Vulnerabilities that enable an attacker to perform unauthorized/ unintended deletion or irreversibly corrupt stored blob data.
• Example: A bug allowing an attacker to trigger an unintended deletion across multiple nodes.
• Economic Abuse – Zero/Near-Zero Payment:
• Any flaw that allows an attacker to store data while paying little to nothing for storage, bypassing fee controls or staking requirements.
• Example: Exploiting a bug in the fee calculation or smart contract logic so that users can acquire storage at zero cost.
• Integrity & Availability Breaches:
• Issues that compromise the correctness of the availability certificate (e.g. forging commitments) or subvert the recovery mechanism, potentially allowing an attacker to prevent legitimate data recovery.
• Economic Manipulation
• Vulnerabilities that allow an attacker to partially manipulate fee payment, commission rates, or staking rewards in a way that might lead to financial imbalance or unfair economic advantage.
• Authentication & Authorization Flaws:
• Bugs that could let an attacker impersonate a storage node or bypass certain access controls, though not directly causing full data loss.

Medium

• Full DoS of the network and no recovery without hardfork
• DoS of Walrus Aggregator/ Indexer (No brute force)

Low

• To be determined and confirmed by the Walrus team.

Payout Structure

Currency: Rewards may be paid in USD or WAL tokens at the discretion of the Walrus Foundation. Reward Adjustments: Payouts are subject to review based on impact, ease of exploitation, and potential damage. Multiple reports on the same vulnerability will be consolidated. Critical Economic & Data-Availability Bugs: Because the protocol’s economic model and data durability are paramount, vulnerabilities such as those allowing storage at near-zero cost or accidental deletion of data will be weighed more heavily. Eligibility: Only vulnerabilities found in official releases (and, where applicable, on the public testnet environment) of Walrus are eligible for rewards.

Out of Scope

• Denial-of-Service (DoS) attacks or network-layer flooding that do not lead to lasting security impact.
• Third-party libraries or platforms that are unmodified from their official release (unless integrated uniquely by the Walrus team).
• Issues reported solely from unsupported test environments if they do not have a production impact.
• Social engineering, phishing, or non-technical attacks.
• Vulnerabilities requiring physical access or relying solely on user misconfiguration.
• Theoretical impacts without any proof or demonstration
• CSRF with no state modifying security impact (e.g. logout CSRF)
• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
• Lack of SSL/TLS best practices
• Impacts that only require DDoS
• UX and UI impacts that do not materially disrupt use of the platform
• SPF/DMARC misconfigured records
• Missing HTTP Headers without demonstrated impact
• Automated scanner reports without demonstrated impact
• UI/UX best practice recommendations
• wal_exchange smart contract (https://github.com/MystenLabs/walrus/tree/main/contracts/wal_exchange) as it is testnet_only and we chose to keep the code simple.

• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic
• Make every effort not to damage or restrict the availability of products, services, or infrastructure
• Avoid compromising any personal data, interruption, or degradation of any service
• Don’t access or modify other user data, localize all tests to your accounts
• Perform testing only within the scope
• Don’t exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam
• Don’t spam forms or account creation flows using automated scanners
• In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
• Don’t break any law and stay in the defined scope
• Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of this Company without appropriate permission

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
• No vulnerability disclosure, including partial is allowed for the moment.
• Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
• You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
• You must not be a former or current employee of us or one of its contractor.
• ONLY USE the EMAIL under which you registered your HackenProof account (in case of violation, no bounty can be awarded)
• Provide detailed but to-the point reproduction steps