Building a highly trusted and secure network for digital assets requires care and vigilance. As with any complex system, there are potential bugs and vulnerabilities that can arise as the ecosystem grows and develops. That is why the Sui Foundation has partnered with Immunefi to deliver a bug bounty program for white hats who find and report any such issues.
Impacts in Scope
Impacts in scope for this program are divided into four levels of severity:
- Exceeding the maximum supply of 10 billion SUI + allowing the attacker to claim the excess funds
- Loss of Funds which includes
- Unauthorized creation, copying, transfer or destruction of objects via bypass of or exploit of bugs in the Move or Sui bytecode verifier
- Address Collision – creating two distinct authentication schemes that hash to the same SUI address in a manner that lead to significant loss of funds
- Object ID collision—creating two distinct objects with the same ID in a manner that leads to significant loss of funds.
- Unauthorized use of an owned object as a transaction input, resulting in significant loss of funds due to the inability to verify ownership and permission to transfer
- Dynamically loading an object that is not directly or transitively owned by the transaction sender, in a manner that leads to significant loss of funds
- Unauthorized upgrade of a Move package, in a manner that leads to significant loss of funds
- Stealing staking rewards that belong to another user, or claiming more than a user’s share of staking rewards, not including rounding errors that result in a minor, financially insignificant discrepancy
- Violating BFT assumptions, acquiring voting power vastly disproportionate to stake, or any other issue that can meaningfully compromise the integrity of the blockchain’s proof of stake governance does not include the following:
- Voting power that is redistributed because one or more other validators already has max voting power
- Rounding errors that result in minor voting power discrepancies
- Unintended permanent chain split requiring hard fork (network partition requiring hard fork)
- Network not being able to confirm new transactions (total network shutdown)
- Arbitrary, non-Move remote code execution on unmodified validator software
- Unintended chain split (network partition)
- Temporary Total Network Shutdown (greater than 10 minutes of network downtime)
- A bug that results in unintended and harmful smart contract behavior with no concrete funds at direct risk
- Unintended, permanent burning of SUI under the max cap
- Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
- Send a transaction that triggers an invariant violation error code in unmodified validator software
All bug reports must come with a runnable testnet or mainnet Proof of Concept with an end-effect impacting an asset-in-scope in order to be considered for a reward. It is not expected for white hats to have a fix for any issue that is discovered to receive an award. Reports must be submitted through the Immunefi dashboard.
Immunefi is the leading bug bounty and security services platform for web3, featuring the world’s largest Web3 security community and bug bounty programs. Immunefi guards many billions in users’ funds across projects like Wormhole, MakerDAO, Polygon, Chain, Arbitrum, Lido, Stacks, Optimism and many more. The company has prevented exploitation of vulnerabilities that put tens of billions of dollars at risk across hundreds of projects.