graph protocol

The Graph’s 2.5 Million Bug Bounty Program In Partnership With Immunefi

The Graph Foundation
August 4, 2021

The Graph Foundation is offering a record $2.5 million bug bounty to incentivize developers and ethical hackers to recognize vulnerabilities and shortcomings in the protocol. At present, this is the biggest active bug bounty program in the world. For this monumental endeavor, The Graph collaborates with Immunefi, which has an extensive knowledge pool in testing and securing Web3 protocols.

In this article, we provide the bounty details, highlighting the varieties of risks and vulnerabilities that the program is trying to address. Besides elaborating the program’s modalities, we discuss its rewards and overall scope. But before getting into all that, let’s introduce The Graph and Immunefi briefly, especially for the uninitiated.

What is Immunefi?

Immunefi is one of the most popular bug bounty platforms in Web3, where white hat hackers and security analysts review and rectify a project’s vulnerabilities. In doing so, these ethical hackers get handsomely rewarded for detecting threats and helping secure the participating projects. Immunefi is a pioneer in innovative blockchain-related bug bounties and has an enviable team of security experts.

Over the years, Immunefi has saved over $1 billion of users’ funds from being stolen or misused. In the process, ethical hackers have earned over $3 million in bounties. At present, the platform has bug bounties worth $26,251,214 locked in various projects.

As a platform, Immunefi has immense scope for both ethical hackers and project owners. Hackers can select bounty programs that match their skill, review the code, submit the bugs, and get paid. Simultaneously, projects can enhance their security with the help of experts at Immunefi. Because of these factors, among others, several leading names in the industry trust the platform. Binance, Chainlink, SushiSwap, PancakeSwap, Compound and Synthetix, for instance, have worked with Immunefi.

Why A Bug Bounty Program?

One might wonder, why do we need a bug bounty program in the first place? Is it not enough and more feasible to have independent third-party audits? Not really. Bug bounties make protocols more robust than a run-of-the-mill code verification because bounties incentivize entire communities of code reviewers, rather than typical audits which engage a single audit firm.

Despite widespread use of audits, DeFi hacks have amounted to over $285 million since 2019. In light of this, Mitchell Amador, Founder and CEO of ImmuneFi, has said, “Last year more than $200 million were stolen by hackers through DeFi exploits and hacks that indeed question the effectiveness of traditional security methods.

He went on to add, “We at Immunefi strive to protect projects against smart contract hacks by helping create, run, and promote best practice bug bounty programs. We’re excited about this historic collaboration with The Graph.”

The $2.5 Million Bug Bounty Program Overview

Having discussed the basics, let us now elaborate on the primary aspects of the bounty program. The Graph Foundation is funding this program to ensure better security and reliability for the network’s global community.

The program goes live today, with a maximum reward of $2,500,000 to be paid in GRT tokens. The primary agenda is to mitigate the risks of losing user funds, exposing private details, and Sybil attack bugs. It is also directed towards preventing incorrect query results by Indexers due to Indexer software anomalies and other associated vulnerabilities.

The Bounty Program Rewards

White hat hackers get rewarded in accordance with the severity of the detected bug and the intensity of potential damage. This is based on a 5-stage scale outlined in the Immunefi Vulnerability Severity Classification System. Following is the scale and the associated rewards:

  • Critical: Freeze contract holdings or empty funds like flash loan attacks, reentrancy (up to $2,500,000)

  • High: Temporary suspension to transfer funds from token holders’ wallets ($200,000)

  • Medium: Huge gas consumption and denial of service ($20,000)

  • Low: Contract doesn’t return the promised returns ($5,000)

The rewards for critical security breaches are capped at 10% of the total economic damages that may result from coding vulnerabilities.

How To Register?

The process for registration is straightforward. In order to be eligible for bounties, bug bounty hunters will first need to register through The Graph Foundation’s KYC platform. Then, they can submit their bug reports with the necessary logs and data to Immunefi to receive a reward. Submissions should include the documents and coding to reproduce the vulnerabilities, as well as pointers for fixing the bugs.

Learn more about how to participate in the bug bounty at

Which Scenarios are In-Scope Under the Bounty Program?

  • Loss of funds due to bugs in smart contracts, gateway, or Indexer software
  • Faulty query fees and indexing rewards payouts
  • Economic attack where all stakeholders lose funds
  • Impersonating network participants and consequent malicious activities
  • Stolen private data due to bugs in the smart contract, Indexer software, or remote code execution
  • Ineffective Indexer functionality
  • Abnormal network load without sufficient GRT fees
  • Inaccurate query data
  • Griefing attack
  • Sybil attacks
  • Non-deterministic syncing of subgraph data (for graph-node only)

Which Scenarios are Not In-Scope?

There are no rewards for the following situations:

  • Attacks or bugs exploited by the hacker
  • Already identified bugs in third-party audits
  • Frontrunning and sandwich attacks
  • Liquidity shortage
  • Governance attacks (eg, 51% attack)
  • Wrong data by third-party oracles
  • Attacks due to social engineering or leaked keys/credentials
  • Critiques based on generally known security best practices

What Ethical Hackers Cannot Do

  • Do not exploit the bugs or take advantage of them
  • Do not violate the privacy of any stakeholders of The Graph
  • Do not attack or defraud The Graph Foundation or any other ecosystem participants

How To Report Bugs?

We request hackers submit their bug reports responsibly to prevent any attack on The Graph. Thus, they must give The Graph Security Team enough time to fix the problems before making the vulnerabilities public.

Participants must note that only the first person to report the bug will be entitled to the relevant reward. They must submit the vulnerabilities with all the relevant links, documents, and codes. Only one form will be accepted for submission for any given vulnerability. However, bounty hunters are free to submit multiple forms for multiple vulnerabilities.

Any attempt to publicly disclose the vulnerability before resolving it will lead to the cancellation of the reward. The Graph Foundation and Immunefi reserve the right to disqualify anyone who doesn’t adhere to the rules and regulations of the bounty program. Finally, under no circumstances will The Graph Foundation negotiate for payments under any threat or coercion.

Learn more about how to participate in the bug bounty at

What The Future Holds

A small step in bolstering crypto security, we believe, marks a giant leap forward for the entire domain. The $2.5 million bug bounty is historical; it is a first, but it need not be the last.

As the community around blockchains and cryptocurrencies becomes more mature, there’s strengthening demand for better security and reliability. In the long run, this would lay a robust foundation for Web3, liberating individuals in the process.

The Graph, for one, shall not restrain itself from incentivizing promising talents to bring out their best. Only then can the domain’s broader vision be realized. In the journey to the future, innovation is critical, and so is security. The two pillars, however, are related — a realization that underlies the bounty program. Participate in securing the web’s future and earn handsome rewards in the process. Remember, though, that the clock is ticking.

About The Graph

The Graph is the indexing and query layer of the decentralized web (Web3). Developers build and publish open APIs, called subgraphs, that applications can query using GraphQL. The Graph currently supports indexing data from 22 different networks including Ethereum, Arbitrium, Avalanche, Celo, Fantom, Moonbeam, IPFS, and PoA with more networks coming soon. To date, over 18,000 subgraphs have been deployed on the hosted service and now subgraphs can be deployed directly on the network! ~20,000 developers have built subgraphs for applications, such as Uniswap, Synthetix, Aragon, Gnosis, Balancer, Livepeer, DAOstack, AAVE, Decentraland, and many others.

If you are a developer building an application or Web3 application, you can use subgraphs for indexing and querying data from blockchains. The Graph allows applications to efficiently and performantly present data in a UI and allows other developers to use your subgraph too! You can deploy a subgraph to the network using the newly launched Subgraph Studio or query existing subgraphs that are in the Graph Explorer. The Graph would love to welcome you to be Indexers, Curators and/or Delegators on The Graph’s mainnet. Join The Graph community by introducing yourself in The Graph Discord for technical discussions, join The Graph’s Telegram chat, or follow The Graph on Twitter! The Graph’s developers and members of the community are always eager to chat with you, and The Graph ecosystem has a growing community of developers who support each other.

The Graph Foundation oversees The Graph Network. The Graph Foundation is overseen by the Technical Council. Edge & Node, StreamingFast and Figment are three of the many organizations within The Graph ecosystem.

The Graph Foundation
August 4, 2021