Immunefi
Immunefi
Back to Explore
Attackathon | Fuel Network-logo

Attackathon | Fuel Network

Learn

Fuel is an operating system purpose built for Ethereum Rollups. Fuel allows rollups to solve for PSI (parallelization, state minimized execution, interoperability) without making any sacrifices.

Fuel Network
Infrastructure
L2
Sway
Rust

Status

Finished
Max Bounty
$1,000,000
Rewards Pool
$1,000,000
Vault TVL
$499,893.46
Started
17 June 2024
Ended
22 July 2024
Rewards Token
USDC
nSLOC
100,000

  • Triaged by Immunefi

  • PoC required

  • Vault program

  • KYC required

LeaderboardInformationScopeResources

Resources & Documentation

Fuel's changelog per repo at the end of the code update period is:

Additional Known Issues have also been added to the section 'Post Code Update Period Known Issues'. When these issues are fixed they will no longer be considerd known issues and the code will be brought back into scope to find bugs in the fixes. All intended fixes are included in the 'Known Issues' section.

Fuel Network’s codebase can be found here https://github.com/FuelLabs/ . Each asset in scope listed above is of a given hash which is the source of truth of what’s in scope.

Fuel Network will strive to have the Testnet match their Github assets. In cases where they differ, the links in the assets in-scope table will be the source-of-truth as to what’s in-scope.

Out of Scope Assets:

The Testnet deployment can be found here:

Previous Audits & Public Disclosure of Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.

Fuel Network’s completed audit reports can be found at https://github.com/FuelLabs/audits . Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Post Code Update Period Known Issues:

The following fixes will be deployed for the above known issues, at which point they'll no longer be known issues and will be brough back into scope to find bugs in again:

  • Optimize getting of transactions for blocks during network synchronization to decrease the load from p2p service.
  • Fix for the edge case for sequential opcodes to not return an error when the last key of operation is still in the range.
  • Handled the gas price and number of available transactions during the selection of the transaction in the TxPool.
  • Updated the executor's block production logic to modify the block only after transaction is valid.
  • Added increasing the base gas price based on the demand.
  • Optimize SMT updates within the transactions execution.
  • Fix 'WDCM' and WQCM to match the specification.

Miscellaneous issues:

There may be other low severity findings tracked in these repos github issues which are not exhaustively listed here. You can check for publicly described issues on GitHub before sending the submission by using keywords from the finding.

Asset In Scope Policies

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

Primacy of Impact vs Primacy of Rules

Fuel Network adheres to the Primacy of Rules, which means that the whole Attackathon is run strictly under the terms and conditions stated within this page.

Details
Resources