Cronos Gravity Bridge (Testnet)

Submit a Bug
19 July 2022
Live since
Yes
KYC required
$200,000
Maximum bounty

Program Overview

An open, decentralized bridge that unlocks the power of interoperability & liquidity between blockchain ecosystems.

The Cronos Gravity Bridge is positioned to become the canonical bridge for ERC20 tokens between Ethereum mainnet and Cronos, the first EVM-compatible chain built on Cosmos SDK and a top 10 chain by total value locked.

The Cronos Gravity Bridge has been deployed for testing between the Ethereum Goerli testnet and a dedicated Cronos testnet (“Pioneer 11”) as announced below:

For more information about Gravity Bridge, please visit https://github.com/crypto-org-chain/gravity-bridge/tree/v2.0.0-cronos-alpha1

The goal of this bounty is to encourage security researchers to assess the Cronos Gravity Bridge in its current testnet implementation, in order to ultimately make it possible for end-users to safely transfer cryptocurrencies across multiple chains of the Ethereum and Cosmos ecosystems.

The bug bounty is for Testnet only

Rewards by Threat Level

All app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. All Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.

All rewards for the Cronos Gravity Bridge bug bounty program are scaled based on an internally established team criteria, taking into account the exploitability of the bug, the impact it causes, and the likelihood of the vulnerability presenting itself, which is especially factored in with bug reports requiring multiple conditions to be met that are currently not in-place. However, there is a minimum reward of USD 1 000 for each severity level, rewards will be provided at the determined fair value by the team depending on these conditions, assuming that the bug report is in-scope of the bug bounty program.

Cronos Gravity Bridge requires KYC to be done for all bug bounty hunters submitting a report and wanting a reward. Once the report is deemed valid, you will need to fill up the KYC form here. The collection of this information will be done by the Cronos Gravity Bridge team.

Payouts are handled by Cronos Labs and are denominated in USD. Payouts are done in USDC and USDT only, with the choice of the ratio at the discretion of the Cronos team.

Disclaimer: Cronos Labs reserves the ultimate decision and will determine at its discretion whether a vulnerability is eligible for a reward and the amount of the award depending on severity.

Blockchain/DLT

Critical
Level
Up to USD $200,000
Payout
PoC Required
High
Level
Up to USD $100,000
Payout
PoC Required
Medium
Level
Up to USD $25,000
Payout
PoC Required

Smart Contract

Critical
Level
Up to USD $200,000
Payout
PoC Required
High
Level
Up to USD $100,000
Payout
PoC Required
Medium
Level
Up to USD $25,000
Payout
PoC Required

Websites and Applications

Critical
Level
Up to USD $200,000
Payout
PoC Required
High
Level
Up to USD $100,000
Payout
PoC Required
Medium
Level
Up to USD $25,000
Payout
PoC Required

Assets in scope

All smart contracts of Gravity Bridge can be found at https://github.com/crypto-org-chain/gravity-bridge/tree/v2.0.0-cronos-alpha1/solidity. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

If an impact can be caused to any other asset managed by Gravity Bridge that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project. This only applies to Critical and High impacts.

Please note that currently create logicCalls is yet to be implemented by the integrated chain (Cronos). This means this function does not work end to end. The implementation will be a future work.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • Risks leading to loss/theft of funds
    Critical
    Impact
  • Funds locked permanently
    Critical
    Impact
  • Indefinite chain halting of the entire network
    Critical
    Impact
  • Unauthorised modification of validator sets and/or voting power that negatively impacts consensus.
    High
    Impact
  • Risks that could lead to the temporary chain halting
    Medium
    Impact

Smart Contract

  • Risks leading to loss/theft of funds
    Critical
    Impact
  • Funds locked permanently
    Critical
    Impact
  • Indefinite chain halting of the entire network
    Critical
    Impact
  • Unauthorised modification of validator sets and/or voting power that negatively impacts consensus.
    High
    Impact
  • Risks that could lead to the temporary chain halting
    Medium
    Impact

Websites and Applications

  • Risks leading to loss/theft of funds
    Critical
    Impact
  • Funds locked permanently
    Critical
    Impact
  • Indefinite chain halting of the entire network
    Critical
    Impact
  • Unauthorised modification of validator sets and/or voting power that negatively impacts consensus.
    High
    Impact
  • Risks that could lead to the chain temporary halting
    Medium
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks that rely on social engineering
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks
  • Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
  • Previously known vulnerabilities in Tendermint and or/any other fork of these.
  • Previously known vulnerabilities in cosmos-sdk and or/any other fork of these.
  • Previously known vulnerabilities in the gravity bridge and or/any other fork of these.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Public Zero-day vulnerabilities
  • Feature request
  • Best practices

Websites and Apps

  • Theoretical vulnerabilities without any proof or demonstration
  • Vulnerabilities used to enumerate or confirm the existence of objects or individuals such as identities, nodes, contracts, tokens and funds that do not disclose sensitive information.
  • Vulnerabilities requiring unlikely user actions
  • Attacks requiring privileged access from within the organization
  • Vulnerabilities only exploitable on out-of-date browsers or platforms
  • Vulnerabilities in third party applications which make use of Crypto.com’s Gravity bridge.
  • Reports from automated tools or scans, without exploitability demonstration
  • Use of known vulnerable libraries without actual proof of concept
  • Vulnerabilities that require physical access to a user's device

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty