Axelar Network

Axelar Network is a decentralized interoperability network connecting all blockchains, assets and apps through a universal set of protocols and APIs.

Arbitrum

Avalanche

BSC

Base

Blast

Celo

Centrifuge

ETH

Fantom

Filecoin

Fraxtal

Kava

Linea

Mantle

Moonbeam

Optimism

Polygon

Scroll

Blockchain

Defi

Maximum Bounty

$2,250,000

Live Since

11 March 2022

Last Updated

03 December 2024

PoC required
KYC required

Submit a Bug

Information Scope Resources

Select the category you'd like to explore

Assets in Scope

Target	Type	Added on
	Smart Contract - Interchain Token Service contract address (all chains)	24 January 2024
	Smart Contract - Infrastructure - GMP SDK	24 January 2024
	Smart Contract - Interchain Governance Contract	24 January 2024
	Smart Contract - Infrastructure - Axelar EVM Gateway	24 January 2024
	Smart Contract - Interchain Token Service	23 January 2024
	Smart Contract - AXL token address	23 January 2024
	Smart Contract - Interchain Token Factory contract address proxy (all chains)	23 January 2024
	Smart Contract - Binance axlUSDC token address	24 August 2022
	Smart Contract - Binance Axelar Gateway contract address Proxy	24 August 2022
	Blockchain/DLT - Axelarcrypto library	13 May 2022
	Blockchain/DLT - Infrastructure - Axelar signer	13 May 2022
	Blockchain/DLT - Infrastructure - Axelar core protocol	13 May 2022

Target

Type

Smart Contract - Interchain Token Service contract address (all chains)

Added on

24 January 2024

Target

Type

Smart Contract - Infrastructure - GMP SDK

Added on

24 January 2024

Target

Type

Smart Contract - Interchain Governance Contract

Added on

24 January 2024

Target

Type

Smart Contract - Infrastructure - Axelar EVM Gateway

Added on

24 January 2024

Target

Type

Smart Contract - Interchain Token Service

Added on

23 January 2024

Target

Type

Smart Contract - AXL token address

Added on

23 January 2024

Target

Type

Smart Contract - Interchain Token Factory contract address proxy (all chains)

Added on

23 January 2024

Target

Type

Smart Contract - Binance axlUSDC token address

Added on

24 August 2022

Target

Type

Smart Contract - Binance Axelar Gateway contract address Proxy

Added on

24 August 2022

Target

Type

Blockchain/DLT - Axelarcrypto library

Added on

13 May 2022

Target

Type

Blockchain/DLT - Infrastructure - Axelar signer

Added on

13 May 2022

Target

Type

Blockchain/DLT - Infrastructure - Axelar core protocol

Added on

13 May 2022

Impacts in Scope

Critical	Direct loss of funds
Critical	Cryptographic vulnerabilities
Critical	Privilege escalation resulting in a severe impact
Critical	Unauthorized mint/burn/transfer of wrapped assets
Critical	Insolvency
Critical	Permanent freezing of funds
Critical	Direct theft of any user funds, whether at-rest or in-motion
High	Network not being able to confirm new transactions (Total network shutdown)
High	Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)
High	Freezing of funds (fix requires hardfork on Axelar)
High	Non-determinism in the network and consensus failure
High	Transient consensus failures

Severity

Critical

Title

Direct loss of funds

Severity

Critical

Title

Cryptographic vulnerabilities

Severity

Critical

Title

Privilege escalation resulting in a severe impact

Severity

Critical

Title

Unauthorized mint/burn/transfer of wrapped assets

Severity

Critical

Title

Insolvency

Severity

Critical

Title

Permanent freezing of funds

Severity

Critical

Title

Direct theft of any user funds, whether at-rest or in-motion

Severity

High

Title

Network not being able to confirm new transactions (Total network shutdown)

Severity

High

Title

Unintended permanent chain split requiring hard fork (Network partition requiring hard fork)

Severity

High

Title

Freezing of funds (fix requires hardfork on Axelar)

Severity

High

Title

Non-determinism in the network and consensus failure

Severity

High

Title

Transient consensus failures

View rewards

Out of scope

Program's Out of Scope information

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Third party dependencies, especially Cosmos SDK dependencies
In the tofn repository, the only thing in scope is src/ecdsa/mod.rs and it’s project dependencies, excluding third-party dependencies
In the tofnd repository, the only thing in scope is parts related to src/ecdsa/mod.rs in tofn repository
Off-chain components, such as relayer, and vald, are out of scope. Any reports related to these will only be accepted at the discretion of the project.

Default Out of Scope and rules

Smart Contract specific

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Impacts requiring basic economic and governance attacks (e.g. 51% attack)
Lack of liquidity impacts
Impacts from Sybil attacks
Impacts involving centralization risks

All categories

Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
Impacts caused by attacks requiring access to leaked keys/credentials
Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
Best practice recommendations
Feature requests
Impacts on test files and configuration files unless stated otherwise in the bug bounty program
Impacts requiring phishing or other social engineering attacks against project's employees and/or customers

Submit a Bug

Severity

Min. - Max.

Critical

$2.2M

High

$10k -$50k

Medium

$5k

Low

$1k

Total Assets in Scope

Total Impacts in Scope