Immunefi
Immunefi

Algorand Blockchain

Submit a Bug
10 November 2022
Live since
Yes
KYC required
$2,000,000
Maximum bounty
16 February 2023
Last updated

Program Overview

Algorand is the world’s most powerful and sustainable blockchain. Our institutional grade blockchain infrastructure is the first and only to achieve decentralization, scalability, and security without compromises and while being environmentally sustainable.

For more information about the Algorand Blockchain, please visit https://www.algorand.com/. For more information about the Algorand Foundation Bug Matching Bounty Program, please visit https://immunefi.com/algorand-matching/

Rewards by Threat Level

Rewards are distributed according to the “Impacts in Scope” section below. This is a simplified 4-level scale focusing on the impact of the vulnerability reported. This program only covers the Algorand Blockchain itself - any third-party software or smart contracts built on the Algorand Blockchain are considered out of scope.

All Critical and High Blockchain/Digital Ledger Technology vulnerability reports require a Proof of Concept (‘PoC’) to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical Blockchain/DLT vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the final decision of Immunefi, after consulting with the Algorand Inc. and the Algorand Foundation teams. However, there is a minimum reward of USD 100 000. The following vulnerabilities are not eligible for a reward:

Please refer to the documentations here on creating a dev environment so that PoCs can be created properly.

KYC shall be done for bug bounty hunters submitting a vulnerability report and requesting a reward for Critical and High Blockchain/DLT vulnerabilities. The basic information needed is full name, residential address, and passport details (DOB, issuing country and passport number). Based on the basic information submitted, the Algorand Foundation team may request further information at its sole discretion for compliance with applicable laws.

Additionally, all levels of bug bounty hunters submitting a vulnerability report and requesting a reward need to submit certification that (i) they are not acting, directly or indirectly, for or on behalf of any person, group entity, or nation named by any Executive Order or the United States Treasury Department as a terrorist, “Specially Designated National and Blocked Person,” or other banned or blocked person, entity, nation, or transaction pursuant to any law, order, rule or regulation that is enforced or administered by the Office of Foreign Assets Control; and (ii) they are not engaging in, instigating or facilitating this transaction, directly or indirectly, on behalf of any such person, group, entity, or nation. They also need to submit an attestation that all information provided is true, correct, up-to-date and not misleading.

The collection of this information will be done by the Algorand Foundation team.

Bug bounty reward payouts are handled by the Algorand Foundation team directly and are denominated in USDCa.

Blockchain/DLT

Critical
Level
USD $100,000 to USD $2,000,000
Payout
PoC Required
High
Level
USD $75,000
Payout
PoC Required
Medium
Level
USD $10,000
Payout
Low
Level
USD $2,000
Payout

Assets in scope

All blockchain code of Algorand can be found at https://github.com/algorand/go-algorand. However, only those in the Assets in Scope table’s located in the main branch are considered as in-scope of the bug bounty program.

Note: any file which includes _test and/or mocks is out of scope. In particular, the following assets are out of scope

  1. kmd
  2. Ledger app
  3. Indexer
  4. SDKs
  5. Any third-party software or smart contracts
  6. Websites (algorand.com, algorand.foundation, etc.)

If an impact can be caused to any other asset relating to the Algorand Blockchain that isn’t on this table but for which the impact is in the Impacts in Scope section below, the bug bounty hunters are encouraged to submit it for the consideration by the Algorand Inc. team who shall consult the Algorand Foundation team before making final determination. This only applies to Critical and High Blockchain/DLT vulnerabilities.

Notes:

  1. Any bugs that can only be exploited on BetaNet will be rewarded at 33% of the MainNet bounty amount.
  2. Only MainNet, TestNet, and BetaNet are in scope. Any other publicly provided or private networks are out of scope
  3. All current and former employees, consultants, advisors, or affiliates of the Algorand Foundation team or the Algorand Inc. team or their affiliates shall be prohibited from receiving any payment or reward of any kind under the Program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • Any methods of double spending, stealing, or creating Algos caused by an issue in algod node software
    Critical
    Impact
  • Consensus safety violations: fork (two different blocks for the same round which were certified by the consensus protocol), or creation of a certified block with invalid transactions
    Critical
    Impact
  • Any methods of Remote Code Execution (RCE) on a properly configured Algorand node solely communicating with properly configured MainNet relays (on their public relay port - excludes any attack using the REST API)
    Critical
    Impact
  • Tamper / manipulate blockchain history to add, invalidate, or change past transactions
    Critical
    Impact
  • Halt consensus so it is unable to produce new blocks for over 24 hours
    High
    Impact
  • Attack leading to network partition of nodes: having some properly configured nodes with unrestricted and uncensored Internet access to not see new blocks for an extended period of time
    High
    Impact
  • Any methods of Remote Code Execution (RCE) on a properly configured Algorand node solely communicating via the REST API endpoint (for this type of attack, credentials of the REST API endpoint can be used)
    High
    Impact
  • Any attack remotely leaking secret participation keys of a properly configured participation node (without access to the node itself nor any of its credentials) or leaking enough information to be able to vote and propose block on behalf of the node
    High
    Impact
  • Remote crash
    Medium
    Impact
  • Censor a specific valid transaction for >100 blocks without interrupting the rest of the network and with transaction fees set related to congestion. Economic (large stake / node access) and spam (filling blocks with transactions) attacks are out of scope
    Medium
    Impact
  • Any bug preventing a properly configured participation node which follows the Algorand Foundation’s node requirements (https://algorand.foundation/algorand-protocol/network) with >1% of online stake from proposing blocks for >24 hours
    Medium
    Impact
  • Any panic of the AVM caused by an otherwise valid transaction
    Medium
    Impact
  • Any panic of the AVM caused by invalid transactions, unless such a panic is explicitly allowed per the code / documentation
    Low
    Impact
  • Any bug which allows an attacker to show corrupt information to a consumer of an API (does not need to necessarily corrupt any vital state)
    Low
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Blockchain

  • Best practice critiques
  • Centralization risks
  • Attacks requiring >20% of online stake held by accounts or nodes (those that hold more online stake than Algorand’s consensus assumptions) to exhibit “bad behavior” (e.g. expiring participation keys)
  • 3rd party risks (e.g applications built on top of the Algorand blockchain, light clients, bridges, liquidity imported to / exported from Algorand, use of 3rd party provider, etc.)
  • Any bugs that cannot be exploited on MainNet, TestNet, or BetaNet (e.g. limited to other publicly provided or private networks)
  • Attacks requiring quantum computers or impractical memory/computation capabilities
  • Standard asset freeze / clawback actions from privileged addresses (e.g. manager / reserve / freeze / clawback address actions)
  • Any minor violation of semantics of transfer/creation/… of ASAs or of smart contracts that does not have any impact on significant dApps (e.g., because the semantics are just unclear or never actually used in real use cases)
  • Attacks requiring physical access to the nodes
  • Attacks requiring a network partition of the Internet itself or significant control over the Internet infrastructure (BGP attack, control of major Internet routers/backbone, control of a cloud provider, generation of TLS certificates for malicious websites, etc.)
  • Attacks related to misconfigured nodes or nodes not using the proper configuration (algod running as a privileged user, disabling of DNSSec, use of a too small/too slow disk, etc.)
  • Attacks related to nodes not running the latest stable version of algod
  • Attacks using maliciously generated fast catchup hash values
  • Supply-chain attacks
  • Side-channel attacks
  • Denial of Service (DoS) or crash testing against any node you don’t own (e.g. public relay nodes)
  • Bandwidth flooding DDoS attacks (saturating the network)
  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks that rely on social engineering
  • Attacks requiring access to leaked keys / credentials
  • Theoretical attacks that cannot be applied in practice
  • Attacks against white papers
  • Any bug that has been previously disclosed / submitted
  • Any bug that has already been exploited
  • Bugs from misconfigured / inappropriately secured smart contracts
  • Any third-party software or smart contracts built on Algorand

The following activities are prohibited by (and shall be deemed as a breach of) this bug bounty program:

  • Bug testing on any public network; all testing should be done on private testnets
  • Any denial of service attacks or crash testing against any node you don’t own (e.g. public relay nodes)
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Algorand Inc. considers Social Engineering attacks against Algorand Inc. employees a violation of Program Terms and Conditions. Researchers engaging in Social Engineering attacks against Algorand Inc. employees will be banned from the Algorand Blockchain Bug Bounty program. Algorand Inc. defines Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.
  • Algorand Foundation considers Social Engineering attacks against Algorand Foundation employees a violation of Program Terms and Conditions. Researchers engaging in Social Engineering attacks against Algorand Foundation employees will be banned from the Algorand Blockchain Bug Bounty program. The Algorand Foundation defines Social Engineering as acts that influence people to perform security-impacting actions or divulge confidential information.