Immunefi
Blog
Platform
Bug Bounty ProgramsPR ReviewsAuditsAudit CompetitionsInvite OnlySafe HarborVaultsManaged TriageHelp Center
Security Researchers

Join Immunefi

Find bugs. Get paid.

Immunefi Profile PicHacker PledgingHelp for WhitehatsAll StarsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of FameCompetition FindingsResponsible Publication
Token
FoundationInstitutionalDocsIR ContactBuy IMU
LoginExplore BountiesGet Protected
Back to Explore
SSV Network-logo

SSV Network

|

The ssv.network is a fully decentralized, open-source, and trustless DVT Network that provides a reusable infrastructure solution for decentralizing Ethereum validators.

ETH
Defi
Infrastructure
Staking
Validator
Solidity
Maximum Bounty
$250,000
Live Since
11 September 2023
Last Updated
09 April 2026

  • PoC Required

  • Vault program

  • KYC required

Submit a Bug
InformationScopeResources

VaultImmunefi vault program

Funds available

$433,410.22

30d Avg. Funds availability

$412,963.72

Assets in vault

  • 148.4k SSV

Public vault address

0x2Be7549f1B58Fc3E81427a09E61e6D0B050A4C1D

Rewards

SSV Network provides rewards in SSV on Ethereum, denominated in USD.

Rewards by Threat Level

Smart Contract
Critical
Max: $250,000Min: $50,000
Primacy of Impact
High
Flat: $30,000
Primacy of Impact
Medium
Flat: $10,000
Primacy of Impact
Low
Flat: $1,500
Primacy of Impact
Critical Reward Calculation

Mainnet assets:

Reward amount is 10% of the funds directly affected up to a maximum of:

$250,000

Minimum reward to discourage security researchers from withholding a bug report:

$50,000
Rewards Body

The advertised prize pool is dependent on the actual token price and can very continiously and extremely.

Reward Determination and Calculation Bounty rewards are adjudicated pursuant to the potential impact of the disclosed vulnerability as defined in the Impacts in Scope table. For vulnerabilities classified as Critical Smart Contract bugs, the reward shall be calculated as ten percent (10%) of the funds directly affected, up to a maximum ceiling of USD 250,000. The valuation of funds at risk is determined based on the specific time and date of the report submission. Notwithstanding the foregoing, a minimum floor reward of USD 50,000 shall be guaranteed for Critical reports to ensure continued incentive for the disclosure of high-impact vulnerabilities.

Repeatable Attack Limitations In instances involving repeatable attacks on smart contracts, reward eligibility is restricted exclusively to the initial attack vector. This limitation remains in effect regardless of the contract’s architecture, including but not limited to its status as upgradable, pausable, or killable.

Exclusions Based on Previous Audits The ssv.network has provided comprehensive audit review reports for public reference. Any vulnerability identified in these reports that remains unfixed, or any issue documented on docs.ssv.network or within any branch of the specified repository, is strictly ineligible for a reward.

Proof of Concept Requirements A functional Proof of Concept (PoC) is a condition precedent for reward eligibility across Critical, High, Medium, and Low severity levels for Smart Contracts. All submissions must strictly adhere to the Immunefi-wide Proof of Concept Guidelines and Rules. Any bug report submitted without a valid, compliant PoC will be denied a reward in its entirety.

Disclosure and Aggregate Pool Limits The public disclosure of any vulnerability is prohibited without the express authorization of the SSV DAO Grants Committee. The total cumulative reward pool for this program is capped at 150,000 SSV tokens. This aggregate limit is absolute and shall not be exceeded, even if the calculated USD value of an individual award exceeds the market value of the remaining tokens in the pool. In such an event, the maximum possible payout is limited to the balance of SSV tokens remaining in the program treasury.

Reward Payment and Valuation Terms Reward disbursements are administered by the SSV Network Grants Committee. While rewards are denominated in United States Dollars (USD), settlement shall be executed exclusively in SSV tokens. The conversion rate is determined by the average market price reported by CoinMarketCap.com and CoinGecko.com at the precise time of report submission. No adjustments shall be made for market liquidity or slippage. As a non-binding example, if a reward is valued at USD 5,000 and the average market price is USD 1.75 per token, the final disbursement shall be 2,857.142857 SSV tokens.

View impacts in scope

Program Overview

The ssv.network is a fully decentralized, open-source, and trustless DVT Network that provides a reusable infrastructure solution for decentralizing Ethereum validators.

The protocol supports Ethereum’s validation layer by distributing validator operations to the network’s multiple non-trusting nodes (a.k.a Operators). Clusters of operator nodes operate validators on behalf of the staker and simultaneously help solve the fundamental issues of centralization, redundancy, and security that exist within Ethereum’s PoS consensus.

For more information about ssv.network, please visit https://ssv.network/

ssv.network provides rewards in SSV. For more details about the payment process, please view the Rewards by Threat Level section further below.

KYC Requirement

The provision of KYC is required to receive a reward for this bug bounty program where the following information will be required to be provided:

  • Official government identification document (Passport, ID Card) of the bounty’s recipient
  • Up to date proof of address document (utility bill, Bank statement etc)

KYC information is only required on confirmation of the validity of a bug report.

Primacy of Impact vs Primacy of Rules

ssv.network adheres to the Primacy of Impact for the following severity levels:

  • Smart Contract - Critical
  • Smart Contract - High
  • Smart Contract - Medium
  • Smart Contract - Low

If a category’s severity level is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program as long as it involves an impact under that respective severity level. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.

Testnet and mock files are not covered under the Primacy of Impact.

All other severity levels not listed here are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.

Immunefi Standard Badge

ssv.network has satisfied the requirements for the Immunefi Standard Badge, which is given to projects that adhere to our best practices.

Audits

Auditor
Quantstamp
Link
https://github.com/ssvlabs/ssv-network/tree/main/contracts/audits
Completed at
3 July 2024
Auditor
Quantstamp
Link
https://github.com/ssvlabs/ssv-network/tree/mainnet-v2.0.0/contracts/audits
Completed at
25 February 2026

Known Issues

Category
Smart Contract
Description / Link
Liquidations between root commitments. EB drift between root commitments. Background: EB roots are committed periodically (~8 hours in production). A committed root is a point-in-time snapshot; it is not updated synchronously with every validator addition or removal. `updateClusterBalance` is permissionless for any caller holding a valid proof against the latest committed root. Risk: remove validators, then withdraw aggressively. Validator removals reduce the on-chain `validatorCount` immediately, but the latest committed root still reflects EB from before the removal. Any above-baseline EB is not proportionally reduced by validator removal. If an owner removes many validators and then withdraws down near the liquidation threshold based only on the new lower validator count, any caller can submit `updateClusterBalance` with the stale-but-valid high-EB root. That raises the effective fees and liquidation threshold. If the cluster becomes underfunded, the protocol auto-liquidation fires and the caller receives the remaining cluster balance. Example sequence: - T0: Oracle snapshots cluster at 10,000 ETH EB, 100 validators - T1: Root committed (latestCommittedBlock set) - T2: Owner removes many validators; on-chain count drops immediately - T3: Owner withdraws based on lower count; cluster left near liquidation threshold - T4: Any caller submits proof from the T1 root (still valid, still reflects high EB) - T5: Auto-liquidation triggers; caller receives remaining cluster balance Mitigations: - Before large removals, check whether the latest committed root has already been consumed by the cluster. - After large removals, do not withdraw near the liquidation threshold until a fresh post-removal root has been committed and consumed. - Size withdrawals using the latest unconsumed root EB, not the new validator count alone or the value from `SSVNetworkViews.getEffectiveBalance`. - High-EB clusters should maintain a conservative buffer through at least the next oracle round. Accepted trade-off: add validators before the next oracle round. The opposite direction temporarily favors the cluster owner. After consuming a root, newly registered validators are accounted at the 32 ETH baseline EB only. Any above-baseline EB they carry on the beacon chain is not yet reflected on-chain until the next root is committed and consumed. This latency is accepted by design, but owners should fund for the EB that the next root will apply, not only the current baseline.
Last Updated At
11 May 2026
Category
Smart Contract
Description / Link
Extracting fees from a cluster when an operator is removed. When an operator is removed, `removeOperator()` first settles the operator's accrued SSV and ETH earnings, then resets active state via `_resetOperatorState()`. That reset clears block, balances, fees, and validator counts, but intentionally does not clear `snapshot.index` or `ethSnapshot.index`. See [SSVOperators.sol](https://github.com/ssvlabs/ssv-network/tree/v2.0.0/contracts/modules/SSVOperators.sol) (removeOperator line 81, _resetOperatorState line 349). Cluster accounting continues to include the removed operator's frozen index. In `OperatorLib.updateClusterData`, removed operators are skipped for future fee accrual (block and fee are zero, so no new earnings accumulate), but their preserved index is still added to `clusterIndex` when computing the cluster's outstanding balance. See [OperatorLib.sol](https://github.com/ssvlabs/ssv-network/tree/v2.0.0/contracts/libraries/OperatorLib.sol) (skip condition line 245, index addition line 260). The same logic applies in withdraw and view paths: with `ethSnapshot.block == 0` and `ethFee == 0`, future accrual is zero, but the frozen `ethSnapshot.index` remains part of the cluster's running index. This is by design. The frozen index represents fees the operator earned up to the point of removal but that the cluster has not yet settled. Clusters holding multiple operators can still operate with reduced coverage after a removal; they are not force-liquidated. Settled or not, the amount owed to the removed operator is preserved in the index until the cluster next interacts with the protocol and settles the delta. This behavior is documented in [FLOWS.md](https://github.com/ssvlabs/ssv-network/tree/v2.0.0/docs/FLOWS.md) and [SPEC.md](https://github.com/ssvlabs/ssv-network/tree/v2.0.0/docs/SPEC.md).
Last Updated At
11 May 2026
Category
Smart Contract
Description / Link
Depositing to the cluster can prevent legit cluster operations. Every cluster-related function takes the current cluster object as a caller-supplied input parameter. The caller must pass the exact state that was emitted by the last executed cluster function; if the on-chain cluster state has changed since that emission, the call reverts. This is by design: the pattern avoids extra gas costs by letting the caller supply and prove the current state. Because `deposit` is permissionless, any actor can deposit even 1 wei to a cluster. That mutates the cluster object. A transaction that front-runs a legitimate cluster owner call (withdraw, liquidation, validator registration, etc.) with a 1-wei deposit will cause the owner's transaction to revert, since the cluster hash it carries is now stale. This is a design trade-off, not a bug, and it is accepted for the following reasons: - No sustained economic incentive. Repeatedly front-running a cluster requires running competitive block-inclusion infrastructure. The cost of maintaining that consistently outweighs any benefit, since the attacker gains nothing from the deposit itself and only delays the target operation by one transaction. - Liquidations are self-correcting. Liquidators are off-chain services operating continuously to preserve cluster solvency. A single front-run delays one liquidation attempt by one block; the liquidator retries with the updated cluster state. The liquidation threshold and minimum collateral parameters are sized to absorb short delays without creating insolvency windows that make front-running economically attractive. - Affected operations are retriable. Withdraw, register validators, and similar calls are owner-initiated and can simply be resubmitted with the updated cluster state. There is no permanent loss or irreversible failure from a single front-run.
Last Updated At
11 May 2026
Category
Smart Contract
Description / Link
Overflows in operator/cluster accounting. Operator and cluster fee accounting uses `uint64` arithmetic throughout. An example is the cluster balance update in `ClusterLib.updateBalanceSSV`: ```solidity PackedSSV usage = PackedSSV.wrap((newIndex - cluster.index) * cluster.validatorCount + networkFee); ``` Intermediate products like `(newIndex - cluster.index) * cluster.validatorCount` are computed in `uint64`, so sufficiently large index deltas or validator counts could in principle overflow. We ran simulations across the full range of current protocol parameters — maximum validators per operator (3,000), current SSV and ETH network fees, and the configured min/max operator fee bounds — and found no overflow under realistic operating conditions. An operator managing 3,000 validators and never withdrawing accumulated earnings for more than 10 years stays within `uint64` range. That scenario is already extreme well beyond any expected operational pattern. This is accepted as a residual theoretical risk under the following rationale: - Current protocol parameters (validator cap, fee bounds, network fee levels) keep all intermediate values comfortably within `uint64` for the foreseeable operational lifetime of the protocol. - Operators and cluster owners have strong economic incentives to withdraw earnings and settle balances regularly, which resets the relevant accumulators and keeps deltas small in practice. - Any future parameter changes (e.g., raising the validator cap or fees significantly) would need to re-evaluate this headroom before deployment.
Last Updated At
11 May 2026

KYC required

The submission of KYC information is a requirement for payout processing.

Participants must adhere to the Eligibility Criteria.

Proof of Concept

Proof of concept is always required for all severities.

Responsible Publication

Category 3: Approval Required

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

30d Avg. Funds Availability
$412,963.72
Total Assets in Scope
3