Ava Labs Avalanche-logo

Ava Labs Avalanche

Ava Labs makes it simple to deploy high-performance solutions for Web3, led by innovations on Avalanche. The company was founded by Cornell computer scientists, who partnered with Wall Street veterans and early Web3 leaders to execute a promising vision for redefining the way people build and use open, permissionless networks.

Maximum Bounty
$100,000
Live Since
03 December 2023
Last Updated
27 October 2024
  • PoC required

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Blockchain/DLT - Teleporter
Added on
5 June 2024
Target
Type
Blockchain/DLT - Coreth
Added on
4 December 2023
Target
Type
Blockchain/DLT - subnet-evm
Added on
4 December 2023
Target
Type
Smart Contract - BTC.b
Added on
4 December 2023
Target
Type
Smart Contract - 1inch.e
Added on
4 December 2023
Target
Type
Smart Contract
Added on
4 December 2023
Target
Type
Smart Contract - ALPHA.e
Added on
4 December 2023
Target
Type
Smart Contract - BAT.e
Added on
4 December 2023
Target
Type
Smart Contract - BUSD.e
Added on
4 December 2023
Target
Type
Smart Contract - COMP.e
Added on
4 December 2023
Target
Type
Smart Contract - CRV.e
Added on
4 December 2023
Target
Type
Smart Contract - DAI.e
Added on
4 December 2023

Impacts in Scope

Severity
Critical
Title

Ability to exfiltrate a node's staking keys (TLS or BLS) without direct machine access

Severity
Critical
Title

Network not being able to confirm new transactions (total network shutdown)

Severity
Critical
Title

Unintended permanent chain split requiring hard fork (network partition requiring hard fork)

Severity
Critical
Title

Direct loss of funds

Severity
Critical
Title

Permanent freezing of funds (fix requires hardfork)

Severity
Critical
Title

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Severity
Critical
Title

Permanent freezing of funds

Severity
Critical
Title

Protocol insolvency

Severity
High
Title

Ability to produce a disproportionate number of blocks compared to the amount of controlled stake (High) Assuming the blockchain is using the Snowman++ congestion control mechanism.

Severity
High
Title

Delay message handling of other validators due to sending messages over the P2P network

Severity
High
Title

Ability to circumvent P2P network message throttling

Severity
High
Title

Unintended chain split (network partition)

Out of scope

Program's Out of Scope information
  • If a bug is publicly disclosed (in the repo of an "asset in scope" or otherwise), that bug is considered out-of-scope in this program.
  • If a bug is publicly disclosed in a dependency of any of the "assets in scope", that bug is considered out-of-scope in this program.

Coreth/Subnet-EVM

  • If a bug is publicly disclosed in https://github.com/ethereum/go-ethereum, that bug is considered out-of-scope in this program.

  • If a bug is publicly disclosed in https://github.com/ava-labs/subnet-evm that affects https://github.com/ava-labs/coreth (or vice-versa), that bug is considered out-of-scope in this program.

    • Network-level Denial-of-Service (TCP/IP/P2P)
    • Misconfigurations of AvalancheGo nodes currently running on the Avalanche Network
    • Denial-of-Service, OOM, or panic on any API exposed by AvalancheGo
    • Any usage of the node's HTTP API through intended mediums. Intended mediums include usage:
      • requiring direct machine access
      • through explicitly opened RPC ports
      • This includes the ability to send HTTP requests that cause node panics, OOMs, increased disk usage, or causing the node to become unhealthy.
    • Consensus liveness failure requiring network control.
    • Ex: BGP hijacking attacks
    • Preventing a node from properly connecting to the P2P network due to brute force networking DoS vectors.
      • Ex: Syn attacking a specific node with a botnet.
    • Unintended node behavior caused by local disk failures.
    • Unintended node behavior caused by unusual node configuration deviating from best practices for node configurations
    • Compile time or runtime errors due to using unsupported hardware or operating systems.
    • Inability to automatically perform NAT-hole punching on specific router hardware.

Even if a bug is considered out-of-scope but you feel it should be disclosed privately, we appreciate any and all informational disclosures through this portal. Thanks for your responsible disclosure!

Default Out of Scope and rules

Blockchain/DLT specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers