Fuel is an L2 optimistic rollup provider and technology stack, designed to enable complex financial operations on the Ethereum blockchain, and across blockchains.
Fuel is interested in securing their smart contracts, which can be found at https://github.com/FuelLabs/fuel. Primary areas of concern are around anything that causes loss of funds, consensus failures, and other onchain code vulnerabilities.
Total Bounty Pool: USD 10,000
Rewards by Threat Level
Rewards are distributed according to the exploitability level of the vulnerability and its impact based on the Immunefi Vulnerability Severity Classification System. The payout for a bug report is first calculated by the consequence the vulnerability causes with its respective percentage reward multiplied by the total bounty pool. Afterwards, the exploitability level and its respective percentage is multiplied by that amount to determine the final payout for the bug report.
|Loss of contract funds||50%|
|Consensus failure in the protocol||40%|
|Denial of service||10%|
|No known exploit - best practices||1%|
|Privileged access (non-root)||10%|
Payouts are handled by Fuel directly and are denominated in USD.
We are especially interested in receiving and rewarding vulnerabilities of the following types:
- Re-entrancy related vulnerabilities
- EVM related code misunderstandings or issues
- Deposit failures
- Overflows or underflows
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Theoretical vulnerabilities without any proof or demonstration
- Vulnerabilities used to enumerate or confirm the existence of users or tenants
- Minor vulnerabilities requiring unusual / unlikely user actions
- Bugs or vulnerabilities relating to the fuel.sh website
The following activities are prohibited by bug bounty program:
- Exploiting bugs on public mainnet and testnets that could result in loss of funds or consensus failure