IMPORTANT: If you find a security issue, you can contact our team directly at security@tendermint.com, or report it to our bug bounty program on HackerOne. DO NOT open a public issue on the repository.
As part of our Coordinated Vulnerability Disclosure Policy, we operate a bug bounty program with Hacker One.
See the policy linked above for more details on submissions and rewards and read this blog post for the program scope.
The following is a list of examples of the kinds of bugs we're most interested in for the Cosmos SDK. See here for vulnerabilities we are interested in for Tendermint and other lower-level libraries (eg. IAVL).
x/auth
x/bank
x/staking
x/slashing
x/evidence
x/distribution
x/supply
x/ibc
(currently in alpha mode)
We are interested in bugs in other modules, however the above are most likely to have significant vulnerabilities, due to the complexity / nuance involved. We also recommend you to read the specification of each module before digging into the code.
- Integer operations on tx parameters, especially
sdk.Int
/sdk.Dec
- Gas calculation & parameter choices
- Tx signature verification (see
x/auth/ante
) - Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)
- HD key derivation, local and Ledger, and all key-management functionality
- Side-channel attack vectors with our implementations
- e.g. key exfiltration based on time or memory-access patterns when decrypting privkey