Security

Bug Bounty


The Graph Network has launched on Ethereum mainnet and we need your help to ensure the security of the protocol! The Graph Bounty Program is launching to identify bugs and critical vulnerabilities in network infrastructure and smart contracts.

Up to 0.5% of total Graph Token (GRT) supply is being allocated to reward successful bounty hunters. Please review program terms and scope below.
Report a bug

Bounty Program Scope

The Graph Bug Bounty Program is seeking researchers and developers to find and report any other vulnerabilities in the protocol infrastructure, including:

  • Network smart contracts

  • Graph node and Indexer CLI

  • Indexer selection and availability oracle

  • Query cost model/market logic

  • State channel/ledger channels

You can find all protocol components in the graphprotocol repo here.

Bounty Types

There are three types of bounties that vary in bug severity and bounty size. P0 bounties are the most critical and will be valued the highest.

P0 Bounties

Vulnerabilities that could cause Indexer, Curator, Delegator or end-user funds to be exploited, stolen or locked up.

  • A bug in a smart contract, state channels, gateway or the default Indexer software that could result in funds being lost (not including slashing)

  • A bug that could cause incorrect payouts of query fees or indexing rewards

  • An economic attack that could result in Indexers, Curators or Delegators losing a significant amount of funds or being exploited

  • A bug that could cause network participants to be impersonated and unwanted actions being taken (eg. funds being transferred)

Vulnerabilities that could cause private user information (ie. keys, PII) to be stolen.

  • A bug in a smart contract, state channels or the default Indexer software that could result in private information to be stolen

  • A bug that allows remote code execution resulting in private information being stolen

P1 Bounties

Vulnerabilities in the Indexer software (eg. Graph Node, Indexer CLI) that could result in the Indexer being slashed or not running effectively

  • A bug which could cause an Indexer to be incorrectly slashed

  • A bug that could make it difficult or impossible to run an Indexer effectively

  • A bug that could halt or delay an Indexer’s ability to process a query or receive payments

Vulnerabilities that could cause the protocol or query market to "halt" or liveness of the protocol to be impacted.

  • A bug in a smart contract, state channels or the default Indexer software that could result in "halt" or an impact to liveness

  • A bug that could result in a DOS attack or where severe load is exerted onto the network by an attacker

  • A bug whereby an attacker does not pay sufficient GRT fees for the load they exert on the network

Determinism bugs that could lead to incorrect or inconsistent query results by Indexers in the network.

  • A vulnerability that could cause two or more Indexers to provide different results for the same query, when the approved code is run

  • A vulnerability that could cause inaccurate query data to be served

P2 Bounties

Vulnerabilities that could degrade the indexing or querying service.

  • A bug that could causes the service functionality, throughput or utility to be degraded but not disabled

  • A griefing attack on the services provided or network participants

Impersonation or sybil attack vulnerabilities

  • A bug that could encourage or incentivize sybil attacking or impersonating users

Not in scope

There are several known potential exploits on Ethereum and The Graph infrastructure. Bounty hunters will not be rewarded for reporting these:

  • Frontrunning

  • Bugs already identified in external third-party audits

  • Non-traditional state channel boundary conditions

Related to state channels, there are a number of parameters/ boundary conditions that are recommended for proper state channel operations. Any vulnerabilities reported that don't assume these boundary conditions on parameters will not be considered valid, unless also proven that the network is violating these parameters somewhere.


A bug disclosure about state channels will only be valid if it is proven that state channels are not secure under the above assumptions, or they can reasonably trigger a violation of one of the above assumptions (i.e. by causing a "mass exit")

Responsible Disclosure and Reporting Rules

Bugs should be reported by submitting the Bounty Reporting Form or email [email protected] directly for critical vulnerabilities. All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.

  • Report Responsibly

    Report vulnerabilities to The Graph first by completing the Bounty Reporting Form, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.

  • Document Attacks & Data

    Log components, reproduction and data about vulnerabilities to share with The Graph team to support learnings and bug fixes. Please provide relevant screenshots, docs, code and steps to reproduce the issue.

  • Don't Exploit Reported Bugs

    Do not exploit bugs in the code to gain advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

  • Don’t Violate Privacy

    Do not violate privacy of network users, other bounty hunters or The Graph.

  • Don’t Attack or Defraud The Graph

    Do not attack The Graph team, operations or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.

Please also note reporting requirements:

  • Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.

  • Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs and code)

  • Single vulnerabilities can be submitted per form, multiple submissions for the same vulnerability will not be counted

  • Bounty hunters can submit multiple bug reports

  • Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

  • The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).

These rules are illustrative and other rules may be added by The Graph in its sole discretion and without notice. Participants will be disqualified if they do not follow rules or conduct themselves in bad faith as determined by The Graph in its sole discretion.

Rewards

Up to 0.5% of GRT supply is being allocated to The Graph Bounty Program to reward successful bounty hunters, reward successful bounty hunters. This allocation is separate from the 3% allocated to Mission Control Testnet Rewards.

Overall, reporting of any bug that impacts the security of The Graph will be rewarded. Rewards will range between $100 - $50,000 USD worth of GRT, at the public GRT Sale price. Rewards will depend on bug severity and complexity, as determined in The Graph’s sole discretion, the thoroughness of the reporting and cooperation.

  • P0 Bounties - up to $50,000

  • P1 Bounties - up to $20,000

  • P2 Bounties - up to $5,000

If you or your company were employed for a security audit on The Graph within the last 6 months rewards may be decreased accordingly. The Graph Bounty Program rewards will be distributed at The Graph's discretion.

Eligibility

All bounty hunters must successfully KYC at https://register.thegraph.com to be eligible for rewards. The Graph has the right to disqualify any contributor at any time if their behavior is deemed harmful or malicious to The Graph Network or its users, or doesn’t follow the Bug Bounty Program rules and policies. For other eligibility questions, please contact [email protected].


Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this Bug Bounty Program. We consider activities conducted consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). To the extent your activities are inconsistent with certain restrictions in our Terms of Service, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with The Graph’s Bug Bounty Program, The Graph will take steps to make it known that your actions were conducted in compliance with this Program. If at any time you have concerns or are uncertain whether your security research may be inconsistent with or unaddressed by this Program, please inquire via [email protected] before going any further.

Final Notes

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Employees of The Graph and their family members are not eligible for bounties.