02 December 2020
Live since
KYC required
Maximum bounty

Fuel is an L2 optimistic rollup provider and technology stack, designed to enable complex financial operations on the Ethereum blockchain, and across blockchains.

Fuel is interested in securing their smart contracts, which can be found at https://github.com/FuelLabs/fuel{: target="_blank" rel="noopener noreferrer"}. Primary areas of concern are around anything that causes loss of funds, consensus failures, and other onchain code vulnerabilities.

Total Bounty Pool: USD 10,000

Rewards by Threat Level

Rewards are distributed according to the exploitability level of the vulnerability and its impact based on the [Immunefi Vulnerability Severity Classification System]({% post_url 2020-11-10-vulnerability-severity-system %}). The payout for a bug report is first calculated by the consequence the vulnerability causes with its respective percentage reward multiplied by the total bounty pool. Afterwards, the exploitability level and its respective percentage is multiplied by that amount to determine the final payout for the bug report.

Loss of contract funds50%
Consensus failure in the protocol40%
DoS amplification10%
Denial of service10%
No known exploit - best practices1%
No access100%
Ordinary access100%
Moderator-approved access20%
Privileged access (non-root)10%
Physical access1%

Payouts are handled by Fuel directly and are denominated in USD.

Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

  • Re-entrancy related vulnerabilities
  • EVM related code misunderstandings or issues
  • Deposit failures
  • Overflows or underflows

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Theoretical vulnerabilities without any proof or demonstration
  • Vulnerabilities used to enumerate or confirm the existence of users or tenants
  • Minor vulnerabilities requiring unusual / unlikely user actions
  • Bugs or vulnerabilities relating to the fuel.sh website

The following activities are prohibited by bug bounty program:

  • Exploiting bugs on public mainnet and testnets that could result in loss of funds or consensus failure