Filecoin (FVM)

Submit a Bug
05 May 2022
Live since
Yes
KYC required
$100,000
Maximum bounty

Program Overview

The Filecoin Virtual Machine is a new and exciting addition to the Filecoin protocol to support user-programmability and EVM-compatibility.

The FVM is a WASM-based polyglot execution environment for IPLD data. It is designed to support native Filecoin actors written in languages that compile to WASM, as well as smart contracts written for foreign runtimes including the Ethereum Virtual Machine (EVM), Secure EcmaScript (SES), and eBPF.

The FVM will be added to the live Filecoin network in several milestones.

Milestone 1 includes the new VM runtime with built-in actors (i.e., smart contracts) and integration of the reference FVM (written in Rust) into Filecoin clients, either via FFI or without. Milestone 1 is currently scheduled to be deployed in mainnet in May 2022 and is currently available for bounties until the end of May 2022. Later in July a second phase of the bug bounty program will be available for M2.

Milestone 2 will introduce user-programmable actors and EVM-compatibility in a phased manner. The first phase of Milestone 2 will likely be available for bounties in July before it is deployed to mainnet in September 2022 (estimated).

For more information about the Filecoin VM, please visit https://fvm.filecoin.io/.

For general information about Filecoin, please visit https://docs.filecoin.io/.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the OWASP Risk Rating Model.

All vulnerabilities marked in the https://github.com/filecoin-project/ref-fvm/issues are not eligible for a reward. Moreover, there are certain known areas whose hardening is in progress. To that end, the FVM team has made a list of Exclusions to Scope including Known Issues listed on Github that will be regularly updated: https://github.com/filecoin-project/ref-fvm/issues/428. These areas are only eligible for bounties once they’re checked off this list.

Filecoin requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. The information needed are IRS form W8 for non-US persons or form W9 for US persons. The collection of this information will be done by the project team.

Filecoin’s core development team, employees of Protocol Labs, the Filecoin Foundation and others paid by these organizations to work on the Filecoin project, indirectly or directly, are not eligible for bug bounty rewards.

Payouts are handled by the Filecoin team directly and are denominated in USD. However, payouts are done in FIL and DAI, with the choice of the ratio at the discretion of the team.

Blockchain/DLT

Critical
Level
Up to USD $100,000
Payout
High
Level
Up to USD $50,000
Payout
Medium
Level
Up to USD $15,000
Payout
Low
Level
Up to USD $2,500
Payout

Smart Contract

Critical
Level
Up to USD $100,000
Payout
High
Level
Up to USD $50,000
Payout
Medium
Level
Up to USD $15,000
Payout
Low
Level
Up to USD $2,500
Payout

Assets in scope

All files of Filecoin can be found at https://github.com/filecoin-project/. However, only those in the Assets in Scope table are considered as in-scope of the FVM bug bounty program.

Specs for the Reference Implementation FVM asset can be found at https://github.com/filecoin-project/fvm-project.

The PRs listed for the Lotus - Reference FVM Integration and Lotus - Filecoin FFI assets are merely provided as reference entry points into the codebase, but the scope is not limited to them. Please review what's on master. Participants are welcome to track WIP branches / PRs, and audit the incoming code as soon as it lands on master.

For the Built-in Actors asset, an actors spec and test vectors for actors are available for reference. Additionally, an executable spec written in Go is available at filecoin-project/specs-actors. These actors power the network pre-FVM. Note that auditing actors normally requires Filecoin domain expertise. However we do not consider this to be a "spec conformance" audit, but rather a security audit on the actual implementation.

If a Critical impact can be caused to any other asset managed by Filecoin that isn’t on this table but for which the Critical impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.

Prioritized Vulnerabilities

Impacts in Scope

All severity levels will be classified according to the OWASP Risk Rating Methodology. The Filecoin team cannot pre-determine impacts and their relative severity levels due to this assessment method and so the Impacts in Scope section are just placeholders for the bug reporting process.

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.

Blockchain/DLT

Critical

  • Critical Blockchain/DLT Impact according to OWASP

High

  • High Blockchain/DLT Impact according to OWASP

Medium

  • Medium Blockchain/DLT Impact according to OWASP

Low

  • Low Blockchain/DLT Impact according to OWASP

Smart Contract

Critical

  • Critical Smart Contract Impact according to OWASP

High

  • High Smart Contract Impact according to OWASP

Medium

  • Medium Smart Contract Impact according to OWASP

Low

  • Low Smart Contract Impact according to OWASP

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Filecoin websites and Filecoin infrastructure in general are not part of the bug bounty program
  • Third-party services and websites that show information about the Filecoin network (block explorers, stats dashboards, price indicators, miner leaderboards, etc.)
  • Vulnerabilities previously submitted by another person or identified in a published audit report are not eligible for bug bounty rewards

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Public disclosure of a vulnerability makes it ineligible for a bug bounty.
  • Denial of Service attacks and Active Exploits against the Filecoin network or Filecoin miners and nodes
  • Social engineering and phishing of Filecoin project contributors, ecosystem collaborators or community members
  • Physical or electronic attempts to access offices where project contributors work or data centers where Filecoin nodes are located

Safe Harbor

We consider security research conducted in alignment with our Disclosure Policy to be protected by Safe Harbor:

  • Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy
  • Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls
  • Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith

You are expected to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.