The Graph
The Graph is an indexing protocol for querying decentralized data from multiple blockchains and storage solutions such as IPFS. It is a decentralized network comprised of multiple stakeholders incentivized to build and offer an efficient and reliable open data marketplace, through GraphQL-based APIs.
PoC required
Vault program
KYC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are considered out of scope and ineligible for rewards, even if they affect something in the assets in the scope table. Occasionally, the Graph Foundation may, but is not required to, make an exception and reward disclosure of an out-of-scope impact that would have a material negative impact on the brand or goodwill of The Graph. Whether to make such an exception, as well as the size of the reward for such an exception, is in The Graph Foundation’s sole and final discretion.
Below, “User” includes Indexers, Delegators, Curators, Data Consumers, and Gateway Operators.
Notes related to the impact "A bug related to data determinism when syncing subgraphs and Substreams-powered subgraphs, resulting in POI (Proof of Indexing) divergence on the network (different Indexers not reaching consensus for the same indexing work)":
- The baseline reward for such valid bugs will always be $2.5k, up to $5k in GRT.
- In addition to the standard Proof of Concept mandatory with every report, Hackers must find the root cause of the issue (not just a reproducible PoC).
- This applies to the assets in the scope above (Graph Node, Firehose, and Substreams). Should the origin of the bug be external RPC clients Graph Node connects to during subgraph syncing (geth, Erigon, etc.), the report will still be considered valid, providing a well-detailed PoC, and root cause analysis is attached ("Informational").
A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)
A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)
A bug that could cause significant (>$1M) funds being lost (not including slashing)
A bug in the canonical Indexer software stack that could result in private keys being stolen
A bug that could cause network disruption at Indexer and Gateway level, taking at least 50% of both Gateways and Indexer nodes down (Indexer software stack)
A bug that could cause incorrect payouts of query fees or indexing rewards
An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts or being exploited
A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)
Private information being stolen
A bug that could cause incorrect payouts of query fees or indexing rewards
An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from the protocol smart contracts
A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)
Out of scope
There are known potential exploits on The Graph infrastructure and on blockchains where the protocol is deployed to: Ethereum and Arbitrum One. Bounty hunters will not be rewarded for reporting these:
- Frontrunning, including back running and sandwich attacks
- Known issues previously reported in security audits are out of scope. All protocol audits can be found here: https://www.notion.so/thegraphfoundation/External-Protocol-Audits-95b73b22af3341b6933d74465f5f7059
- Specifically related to OpenZeppelin’s “The Graph Protocol Audit” (August 31, 2020), C01 and C02 have already been addressed by the core dev team. More on C02 can be found here: https://forum.thegraph.com/t/openzeppelin-protocol-audit-prysm-groups-c02-economic-attack-resolution-summary/3280?u=pedro
- Natural network activity like curation whose involved mechanisms could result in unprofitable actions for the particular stakeholder
Additionally, all of the following vulnerabilities and bug report types are considered out-of-scope in this bug bounty program (though, as noted above, The Graph Foundation may occasionally make an exception and issue a reward for a material, out-of-scope impact):
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks that rely on social engineering, including requiring victim to visit an out-of-scope url
- Attacks requiring access to victim’s machine
- Attacks requiring access to keys, passwords, or other credentials which were leaked
- Attacks of third-party service providers, which could have a negative impact on The Graph i.e. misconfigurations on 3rd-party services like CloudFlare etc.
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Best practice critiques
- Indexer port configurations not aligned with best practices
- Sybil attacks
- Attacks that have the potential to impact token price
- Testnet assets
- “Man in the middle” attacks
Rules and Requirements All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.
Report Responsibly
Report vulnerabilities to The Graph first by submitting a bug report on Immunefi, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.
Don't Exploit Reported Bugs
Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.
Don’t Violate Privacy
Do not violate the privacy of network users, other bounty hunters, or The Graph.
Don’t Attack or Defraud The Graph
Do not attack The Graph team, operations, or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.
Please also note reporting requirements:
-
Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.
-
Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs, and code)
-
Single vulnerabilities can be submitted per report, multiple submissions for the same vulnerability will not be counted. In case the same vulnerability and/or exploit applies to different assets in scope, these must be mentioned in a single report.
-
Bounty hunters can submit multiple bug reports
-
Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
-
The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).