The Graph-logo

The Graph

The Graph is an indexing protocol for querying decentralized data from multiple blockchains and storage solutions such as IPFS. It is a decentralized network comprised of multiple stakeholders incentivized to build and offer an efficient and reliable open data marketplace, through GraphQL-based APIs.

Arbitrum
ETH
Blockchain
Infrastructure
Services
Staking
Go
Julia
Rust
Solidity
Typescript
Maximum Bounty
$2,500,000
Live Since
04 August 2021
Last Updated
15 November 2024
  • PoC required

  • Vault program

  • KYC required

Select the category you'd like to explore

Assets in Scope

Target
Type
Blockchain/DLT - Substreams
Added on
9 May 2024
Target
Type
Blockchain/DLT - Gateway
Added on
9 May 2024
Target
Type
Smart Contract - StakingExtension (Arbitrum)
Added on
18 September 2023
Target
Type
Smart Contract - StakingExtension (Ethereum Mainnet)
Added on
18 September 2023
Target
Type
Websites and Applications - The Graph Gateway
Added on
3 July 2023
Target
Type
Websites and Applications - Studio
Added on
3 July 2023
Target
Type
Websites and Applications - Explorer
Added on
3 July 2023
Target
Type
Blockchain/DLT - Integrator Tool Kit for Developers Maintaining Firehose
Added on
3 July 2023
Target
Type
Blockchain/DLT - Ethereum Firehose Indexer (Indexer Software Stack)
Added on
3 July 2023
Target
Type
Blockchain/DLT - Epoch Block Oracle (Subgraph)
Added on
3 July 2023
Target
Type
Blockchain/DLT - Epoch Block Oracle
Added on
3 July 2023
Target
Type
Blockchain/DLT - Indexer Allocation Optimizer (Indexer Software Stack)
Added on
3 July 2023

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are considered out of scope and ineligible for rewards, even if they affect something in the assets in the scope table. Occasionally, the Graph Foundation may, but is not required to, make an exception and reward disclosure of an out-of-scope impact that would have a material negative impact on the brand or goodwill of The Graph. Whether to make such an exception, as well as the size of the reward for such an exception, is in The Graph Foundation’s sole and final discretion.

Below, “User” includes Indexers, Delegators, Curators, Data Consumers, and Gateway Operators.

Notes related to the impact "A bug related to data determinism when syncing subgraphs and Substreams-powered subgraphs, resulting in POI (Proof of Indexing) divergence on the network (different Indexers not reaching consensus for the same indexing work)":

  • The baseline reward for such valid bugs will always be $2.5k, up to $5k in GRT.
  • In addition to the standard Proof of Concept mandatory with every report, Hackers must find the root cause of the issue (not just a reproducible PoC).
  • This applies to the assets in the scope above (Graph Node, Firehose, and Substreams). Should the origin of the bug be external RPC clients Graph Node connects to during subgraph syncing (geth, Erigon, etc.), the report will still be considered valid, providing a well-detailed PoC, and root cause analysis is attached ("Informational").
Severity
Critical
Title

A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)

Severity
Critical
Title

A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)

Severity
Critical
Title

A bug that could cause significant (>$1M) funds being lost (not including slashing)

Severity
High
Title

A bug in the canonical Indexer software stack that could result in private keys being stolen

Severity
High
Title

A bug that could cause network disruption at Indexer and Gateway level, taking at least 50% of both Gateways and Indexer nodes down (Indexer software stack)

Severity
High
Title

A bug that could cause incorrect payouts of query fees or indexing rewards

Severity
High
Title

An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts or being exploited

Severity
High
Title

A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)

Severity
High
Title

Private information being stolen

Severity
High
Title

A bug that could cause incorrect payouts of query fees or indexing rewards

Severity
High
Title

An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from the protocol smart contracts

Severity
High
Title

A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)

Out of scope

Program's Out of Scope information

There are known potential exploits on The Graph infrastructure and on blockchains where the protocol is deployed to: Ethereum and Arbitrum One. Bounty hunters will not be rewarded for reporting these:

Additionally, all of the following vulnerabilities and bug report types are considered out-of-scope in this bug bounty program (though, as noted above, The Graph Foundation may occasionally make an exception and issue a reward for a material, out-of-scope impact):

  • Attacks that rely on social engineering, including requiring victim to visit an out-of-scope url
  • Attacks requiring access to victim’s machine
  • Attacks of third-party service providers, which could have a negative impact on The Graph i.e. misconfigurations on 3rd-party services like CloudFlare etc.
  • Best practice critiques
  • Indexer port configurations not aligned with best practices
  • Attacks that have the potential to impact token price
  • Testnet assets
  • “Man in the middle” attacks

Rules and Requirements All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.

Report Responsibly

Report vulnerabilities to The Graph first by submitting a bug report on Immunefi, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.

Don't Exploit Reported Bugs

Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

Don’t Violate Privacy

Do not violate the privacy of network users, other bounty hunters, or The Graph.

Don’t Attack or Defraud The Graph

Do not attack The Graph team, operations, or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.

Please also note reporting requirements:

  • Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.

  • Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs, and code)

  • Single vulnerabilities can be submitted per report, multiple submissions for the same vulnerability will not be counted. In case the same vulnerability and/or exploit applies to different assets in scope, these must be mentioned in a single report.

  • Bounty hunters can submit multiple bug reports

  • Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

  • The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

Default Out of Scope and rules

Smart Contract specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
Severity
Min. - Max.
Critical
$2.5M
High
$200k
Medium
$20k
Low
$5k
Total Assets in Scope
48
Total Impacts in Scope
30
Total paid

1.1M