Sei
Sei is the fastest Layer 1 blockchain, designed to scale with the industry. Pushing the boundaries of blockchain technology through open source development, Sei stands to unlock a brand new design space for consumer facing applications.
Triaged by Immunefi
PoC Required
KYC required
Arbitration enabled
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Giga-Related Functionality
With the exception of the Giga executor, all functionality related to Giga is currently out of scope for this bug bounty program.
The Giga executor is in scope. The Giga executor is enabled by default. The following are in scope:
- The
giga/executorGo package (and its subpackages) - The
[giga_executor]configuration section, including both theenabledandocc_enabledoptions
The following are out of scope even though they relate to the Giga executor, and are not eligible for rewards:
- EVMone: any functionality related to the evmone-based execution backend, including the
evmoneVM integration and any code paths specific to it. EVMone is not used in production and has not been extensively tested. - Transaction result differences (including
LastResultsHashdivergence) between the Giga and V2 executors: the two execution implementations are not guaranteed to produce identical transaction results or an identicalLastResultsHash. This is a known difference. - Block delay impacts that rely on the current fallback from Giga to V2 execution: the current fallback from Giga to V2 execution can increase EVM transaction execution time, and block delay impacts that depend on this fallback are not in scope.
All other Giga functionality is out of scope. Every Giga feature other than the executor remains disabled by default in all supported environments. Specifically, the following are excluded from scope:
- The Autobahn multi-proposer consensus protocol
- Giga storage
- Any code paths that require setting a
GIGA_*configuration flag totrue, other than enabling the Giga executor - Any configuration options under
giga-prefixed sections other than[giga_executor] - Any code contained within
gigapackages other thangiga/executor
As a result:
- Vulnerabilities that are only exploitable when Giga functionality other than the executor is enabled
- Vulnerabilities that exist exclusively within
gigapackages other thangiga/executor - Vulnerabilities reachable solely through execution paths gated by non-executor Giga configuration
are not eligible for rewards under this bug bounty program.
Excluded StateSync Peer Functionality
Any functionality related to StateSync Peers is currently out of scope for this bug bounty program.
A StateSync Peer is a trusted node that provides state synchronization data to other nodes during initial sync. These are nodes explicitly configured as RPC servers and persistent peers for the purpose of state sync. They serve trust height, trust hash, and block/state data that the syncing node consumes directly.
Specifically, the following are excluded from scope:
- Any vulnerabilities that require a malicious or compromised StateSync Peer to be exploited
- Any attack vectors that depend on a StateSync Peer returning tampered block data, trust hashes, or state snapshots
- Any vulnerabilities that rely on poisoning the persistent peers list with attacker-controlled node IDs obtained through compromised StateSync Peer RPC responses
- Any vulnerabilities related to P2P-mode state sync, where any connected P2P peer can serve as a state provider. P2P-mode state sync is disabled by default and is not used in Sei's supported state sync workflow
StateSync Peers are considered trusted infrastructure within the Sei network's threat model. As a result:
- Vulnerabilities that assume a StateSync Peer is acting maliciously or has been compromised
- Vulnerabilities that are only exploitable by controlling or impersonating a StateSync Peer endpoint
- Vulnerabilities reachable solely through tampered RPC responses from a trusted StateSync Peer
- Vulnerabilities that exist exclusively within P2P-mode state sync code paths
are not eligible for rewards under this bug bounty program.
Permanent freezing of funds of USD $5,000 or more with no on-chain remediation path, excluding general network unavailability (fix requires hard fork)
Direct loss of funds of USD $5,000 or more (including but not limited to unauthorized transfers, token minting, or token burning)
Crash or halt of ≥1/3 of validators (assuming no direct network access to validator nodes), resulting in loss of network liveness
Unintended permanent chain split requiring hard fork to resolve (network partition with no automatic recovery)
Crash of RPC nodes running default configuration without assuming direct network access (e.g. via malicious block/transaction payloads propagated through the network)
Malicious proposer block freeze: delay of ≥10 minutes caused by a single proposer beyond simply skipping their own proposal slot(s)
Bug in layer 0/1/2 network code that causes deterministic unintended smart contract execution, with no funds directly at risk
Crash of RPC nodes running default configuration via direct unauthenticated network access to RPC/gRPC endpoints
Crash or halt of ≥10% but <1/3 of validators via crafted (non-brute-force) messages, where the network retains liveness
Block production delay exceeding 2.5 seconds on realistic validator hardware, caused by crafted transactions or messages (excluding malicious proposers)
Permanent freezing of funds of less than USD $5,000 with no on-chain remediation path, excluding general network unavailability (fix requires hard fork)
Direct loss of funds of less than USD $5,000 (including but not limited to unauthorized transfers, token minting, or token burning)
Out of scope
Blockchain/DLT specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers