The Graph

Submit a Bug
04 August 2021
Live since
Yes
KYC required
$2,500,000
Maximum bounty
11 January 2024
Last updated

VaultImmunefi vault program

This project deposits assets in a decentralized vault to publicly show proof of assets for paying out bug bounty rewards on-chain via the Immunefi dashboard

VaultPublic vault address
0x4c0eD9DE84FBA3a005FBCcd1e9E8CE6ABf2B9a04
VaultFunds available
$588,392.24   USD
Vault30d Avg. Funds availability
$498,071.03   USD
VaultAssets in vault
  • 1.5M  GRT

Program Overview

The Graph is an indexing protocol for querying decentralized data from multiple blockchains and storage solutions such as IPFS. It is a decentralized network comprised of multiple stakeholders incentivized to build and offer an efficient and reliable open data marketplace, through GraphQL-based APIs.

The Graph learns what and how to index Blockchain data based on subgraph descriptions, known as the subgraph manifest. The subgraph description defines the smart contracts of interest for a subgraph, the events in those contracts to pay attention to, and how to map data to data that The Graph will index and store in its decentralized network, to be served by Indexers. Indexers are network participants responsible for running their own infrastructure capable of indexing subgraphs and subsequently serve such data.

The network is fully permissionless, meaning that every stakeholder can design, implement and deploy subgraphs, with Indexers choosing which subgraphs to index based on a number of factors such as Curators’ interest (signaling high-quality ones which may result in high query volume). Delegators are another key network participant in this open data economy, who delegate their stake towards Indexers, receiving, in turn, a portion of both network rewards and fees from subsequently served queries. Like Delegators, Curators also receive a portion of the query fees, when staking their own GRT in a subgraph’s bounding curve (signaling).

For more information about The Graph, please visit their website at https://thegraph.com/.

The bug bounty program, managed and funded by The Graph Foundation, is focused on the prevention of negative impacts to the whole ecosystem, such as:

  • Loss of user funds from the protocol smart contracts
  • Exposure of private keys that may lead to changes on deployed smart contracts and/or drainage of user funds
  • Determinism bugs that could lead to incorrect or inconsistent query results by Indexers in the network
  • Vulnerabilities in the Indexer software (eg. Graph Node, Indexer CLI, Indexer Agent, and Indexer Service) that could result in the Indexer being slashed or not running effectively
  • Vulnerabilities that could degrade the indexing or querying service
  • Bugs that could facilitate Sybil attacks

Bug bounty hunters submit bug reports at their own risk of being rejected as a known issue.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.3. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.

Rewards for critical vulnerabilities are capped at 10% of the potential direct economic damage at the time the vulnerability is disclosed, primarily focusing on the USD value of Indexer, Delegator, or Curator assets in any impacted protocol smart contracts at the time of disclosure and the likelihood that such assets could be lost or stolen. The Graph Foundation may also in its discretion, but is not required to, take into consideration other potential economic harms such as potential damage to brand and goodwill. Indirect or speculative potential damage will not be considered.

Final reward amount for a valid report classified as High, Medium, and Low is in the sole discretion of The Graph Foundation. Though this bug bounty program considers the severity classification system, the primary baseline before further consideration is the Impacts in Scope and Assets in Scope tables, though that itself isn’t the final determinant.

To qualify for a reward, bug bounty hunters will need to provide KYC through https://register.thegraph.com and provide all requested information and documents, including, without limitation:

  • E-mail address;
  • Name;
  • Wallet address the GRT should be sent to. This address must correspond with the same listed in the report.

Additionally, all bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

Proof of Concept required for Smart Contracts and Blockchain In the case of smart contract bugs, sharing a valid reproducible script as Proof of Concept (PoC) is a strict requirement. All PoCs must be submitted complying with Immunefi’s PoC Guidelines and Rules. Failing to do so will result in a report being deemed invalid by The Graph Foundation, not eligible for any reward.

Payouts are handled by The Graph Foundation and are denominated in USD and payable in GRT based on the prevailing USD/GRT conversion price at the time of payment.

Blockchain/DLT

Critical
Level
USD $200,000 up to USD $2,500,000
Payout
PoC Required
High
Level
USD $20,000 up to USD $200,000
Payout
PoC Required
Medium
Level
USD $5,000 up to USD $20,000
Payout
PoC Required
Low
Level
USD $1,000 up to USD $5,000
Payout
PoC Required

Smart Contract

Critical
Level
USD $200,000 up to USD $2,500,000
Payout
PoC Required
High
Level
USD $20,000 up to USD $200,000
Payout
PoC Required
Medium
Level
USD $5,000 up to USD $20,000
Payout
PoC Required
Low
Level
USD $1,000 up to USD $5,000
Payout
PoC Required

Websites and Applications

Critical
Level
USD $20,000 up to USD $50,000
Payout
High
Level
USD $5,000 up to USD $20,000
Payout
Medium
Level
USD $1,000 up to USD $5,000
Payout

Assets in scope

Note on Smart Contracts: The Graph protocol is in the process of migrating to Arbitrum, as the preferred L2. For this reason, there are Smart Contracts deployed in multiple chains. Not all are equal, so bug bounty hunters are encouraged to check the code on both chains. Once fully migrated, this bug bounty program will be updated too, removing unnecessary ones. Assets in our testnet environment are intentionally excluded.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Blockchain/DLT

  • A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)
    Critical
    Impact
  • A bug in the canonical Indexer software stack that could result in private keys being stolen
    High
    Impact
  • A bug that could cause network disruption at Indexer and Gateway level, taking at least 50% of both Gateways and Indexer nodes down (Indexer software stack)
    High
    Impact
  • A bug that could cause incorrect payouts of query fees or indexing rewards
    High
    Impact
  • An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts or being exploited
    High
    Impact
  • A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)
    High
    Impact
  • A bug that could lead to non-deterministic syncing of subgraph data (Graph Node only)
    Medium
    Impact
  • A bug that could halt or delay an Indexer’s ability to process a query or receive payments
    Medium
    Impact
  • A bug in the default Indexer software that could result in a “halt" or an impact on liveness
    Medium
    Impact
  • A griefing attack on the services provided or network participants
    Medium
    Impact
  • A bug whereby an attacker does not pay sufficient GRT fees for the load they exert on the network
    Low
    Impact
  • A vulnerability that could cause inaccurate query data to be served
    Low
    Impact
  • A vulnerability that could cause two or more Indexers to provide different results for the same query when the approved code is run
    Low
    Impact
  • A bug that could cause the service functionality, throughput, or utility to be degraded but not disabled
    Low
    Impact

Smart Contract

  • A bug that could cause significant (>$1M) User funds to be lost or stolen directly from protocol smart contracts (not including slashing)
    Critical
    Impact
  • Private information being stolen
    High
    Impact
  • A bug that could cause incorrect payouts of query fees or indexing rewards
    High
    Impact
  • An economic attack other than a basic 51% governance attack that could cause significant (>$1M) User funds to be lost or stolen directly from the protocol smart contracts
    High
    Impact
  • A bug that could cause network participants to be impersonated and unwanted actions being taken (eg., User funds being stolen directly from the protocol smart contracts)
    High
    Impact
  • A bug in a smart contract that could result in a “halt" or an impact on liveness
    Medium
    Impact
  • A “griefing” attack on the services provided or network participants
    Medium
    Impact
  • A bug that could halt or delay an Indexer’s ability to process a query or receive payments
    Medium
    Impact

Websites and Applications

  • A bug that could cause significant (>$1M) funds being lost (not including slashing)
    Critical
    Impact
  • Halt application functionality for majority of users
    Critical
    Impact
  • A bug that could allow impersonating other users, leading to negative impact to network participants through User funds being lost or stolen directly from the protocol smart contracts
    High
    Impact
  • A bug that could cause the service (Studio or The Graph’s decentralized network) functionality, throughput, or utility to be degraded but not disabled for other network participants
    Medium
    Impact
  • A bug that allows remote code execution resulting in exposure of private keys
    Medium
    Impact

Only the following impacts are accepted within this bug bounty program. All other impacts are considered out of scope and ineligible for rewards, even if they affect something in the assets in the scope table. Occasionally, the Graph Foundation may, but is not required to, make an exception and reward disclosure of an out-of-scope impact that would have a material negative impact on the brand or goodwill of The Graph. Whether to make such an exception, as well as the size of the reward for such an exception, is in The Graph Foundation’s sole and final discretion.

Below, “User” includes Indexers, Delegators, Curators, Data Consumers, and Gateway Operators.

Out of Scope & Rules

There are known potential exploits on The Graph infrastructure and on blockchains where the protocol is deployed to: Ethereum and Arbitrum One. Bounty hunters will not be rewarded for reporting these:

Additionally, all of the following vulnerabilities and bug report types are considered out-of-scope in this bug bounty program (though, as noted above, The Graph Foundation may occasionally make an exception and issue a reward for a material, out-of-scope impact):

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks that rely on social engineering, including requiring victim to visit an out-of-scope url
  • Attacks requiring access to victim’s machine
  • Attacks requiring access to keys, passwords, or other credentials which were leaked
  • Attacks of third party service providers, which could have a negative impact on The Graph
  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Indexer port configurations not aligned with best practices
  • Sybil attacks
  • Attacks that have the potential to impact token price
  • Testnet assets
  • “Man in the middle” attacks

Rules and Requirements All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.

Report Responsibly

Report vulnerabilities to The Graph first by submitting a bug report on Immunefi, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.

Don't Exploit Reported Bugs

Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

Don’t Violate Privacy

Do not violate the privacy of network users, other bounty hunters, or The Graph.

Don’t Attack or Defraud The Graph

Do not attack The Graph team, operations, or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.

Please also note reporting requirements:

  • Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.

  • Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs, and code)

  • Single vulnerabilities can be submitted per report, multiple submissions for the same vulnerability will not be counted. In case the same vulnerability and/or exploit applies to different assets in scope, these must be mentioned in a single report.

  • Bounty hunters can submit multiple bug reports

  • Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

  • The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).