Triaged by Immunefi
PoC required
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Technical Resources
Roadmap
https://forum.celo.org/t/cel2-roadmap-update/6815
Technical
Non-technical https://www.youtube.com/watch?v=mkpTmbkRv4A
Is this an upgrade of an existing system? If so, which? And what are the main differences?
Celo is transitioning from a standalone EVM-compatible Layer 1 blockchain to an Ethereum Layer 2. This shift, proposed by cLabs in July 2023, aims to maintain the seamless user experience that Celo is known for—characterized by speed, low costs, and ease of use—while leveraging Ethereum's security and ecosystem.
Where do you suspect there may be bugs? Which parts of the code are you most concerned about?
Experimental Features, Custom Gas Token, Alternate Data Availability Layer implementation in the OP Stack.
What attack vectors are you most concerned about?
Migration to L2 and Sequencer
Which part(s) of the system do you want whitehats to attempt to break the most?
Custom Gas Currency (https://docs.celo.org/cel2/fee-currencies)
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?
All ERC20 / ERC721 / ERC777 / ERC1155 standards are supported.
What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?
Test on Testnet: https://docs.celo.org/cel2/network-information
What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?
Third-party security review Blockchain Explorer
What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?
Any is fine on Testnet
What external dependencies are there?
https://github.com/ethereum-optimism/op-geth
Where might whitehats confuse out-of-scope code to be in-scope?
Open source code in defined repos are in scope. Anything on testnet is in scope. Cel2 code is not deployed to Mainnet.
stCelo (staked-celo) is live and on Mainnet, this is in scope.
What is the test suite setup information?
- https://docs.celo.org/cel2/network-information
- https://celo.academy/t/exploring-alfajores-testnet-a-comprehensive-guide-to-celos-test-network/2618
Public Disclosure of Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
Previous Audits
Celo’s previous audit reports can be found here: https://celo.org/audits
Celo’s is currently running an audit. Bugs in the audit report that aren't disclosed pre-launch are valid for rewards.
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds on L1
Protocol insolvency
Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
L1 contract manipulation (sequencer address, malicious state root update)
Critical hot wallets compromised (batcher, proposer, sequencer)
Permanent freezing of unclaimed royalties
Temporary freezing of funds
Theft of unclaimed royalties
Theft of unclaimed yield
Permanent freezing of unclaimed yield
L2 re-org
Out of scope
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers