Sei
Sei is the fastest Layer 1 blockchain, designed to scale with the industry. Pushing the boundaries of blockchain technology through open source development, Sei stands to unlock a brand new design space for consumer facing applications.
Triaged by Immunefi
PoC Required
KYC required
Arbitration enabled
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Excluded Giga-Related Functionality
Any functionality related to Giga is currently out of scope for this bug bounty program.
Specifically, the following are excluded from scope:
- Any code paths that require setting any
GIGA_*configuration flag totrue - Any configuration options defined under configuration sections prefixed with
giga - All code contained within the
gigaGo package
All Giga-related configuration flags and settings are disabled by default in all supported environments.
As a result:
- Vulnerabilities that are only exploitable when Giga-related configuration flags are enabled
- Vulnerabilities that exist exclusively within the
gigaGo package - Vulnerabilities reachable solely through execution paths gated by Giga configuration
are not eligible for rewards under this bug bounty program.
Excluded StateSync Peer Functionality
Any functionality related to StateSync Peers is currently out of scope for this bug bounty program.
A StateSync Peer is a trusted node that provides state synchronization data to other nodes during initial sync. These are nodes explicitly configured as RPC servers and persistent peers for the purpose of state sync. They serve trust height, trust hash, and block/state data that the syncing node consumes directly.
Specifically, the following are excluded from scope:
- Any vulnerabilities that require a malicious or compromised StateSync Peer to be exploited
- Any attack vectors that depend on a StateSync Peer returning tampered block data, trust hashes, or state snapshots
- Any vulnerabilities that rely on poisoning the persistent peers list with attacker-controlled node IDs obtained through compromised StateSync Peer RPC responses
- Any vulnerabilities related to P2P-mode state sync, where any connected P2P peer can serve as a state provider. P2P-mode state sync is disabled by default and is not used in Sei's supported state sync workflow
StateSync Peers are considered trusted infrastructure within the Sei network's threat model. As a result:
- Vulnerabilities that assume a StateSync Peer is acting maliciously or has been compromised
- Vulnerabilities that are only exploitable by controlling or impersonating a StateSync Peer endpoint
- Vulnerabilities reachable solely through tampered RPC responses from a trusted StateSync Peer
- Vulnerabilities that exist exclusively within P2P-mode state sync code paths
are not eligible for rewards under this bug bounty program.
Direct loss of funds
Permanent freezing of funds (fix requires hard fork)
RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
Unintended permanent chain split requiring hard fork (network partition requiring hard fork)
Network not being able to confirm new transactions (total network shutdown)
Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours
Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk
Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments
Causing network processing nodes to process transactions from the mempool beyond set parameters
Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network
Modification of transaction fees outside of design parameters
Out of scope
Blockchain/DLT specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers