The Graph Foundation launches bug bounty program

Bugs in scope include those leading to the loss of user funds.

The Graph Foundation has launched a bug bounty program promising rewards of up to $2.5 million for smart contract vulnerabilities. 

The Graph Foundation is the overseer of an indexing protocol, created by the community, for querying blockchains and networks including the Ethereum, Celo, and IPFS ecosystems.

Blockchain data is indexed by the decentralized protocol, based on the "subgraph manifest," a system that defines smart contracts and network events, and participants are able to publish their own subgraph open APIs. 

On Wednesday, the project said a new bug bounty program has been launched on Immunefi, a DeFi-based bug bounty platform that has paid out over $3 million in rewards to date. 

The bug bounty program will focus on some of the most common threats to blockchain systems -- the potential loss of user funds, data leaks, and severe security issues leading to remote code execution (RCE), service degradation, network tampering, and more.

Rewards are based on Immunefi's five-level scale, ranging in severity from "critical" to "none." The most severe issues, deemed critical, are eligible for rewards of up to $2.5 million, made in The Graph tokens (GRT). 

According to the team, the reward is based on the potential economic damage -- such as the loss of user funds. 

"For instance, if the bug were to be exploited and we knew that a total of 1000 GRT could be drained, that is considered critical because it involves loss of funds, but the reward would only be 100 GRT," the team explained. "As there are over three billion GRT staked in the network at the moment, and assuming that would be the considered economic damage (worst case scenario), the actual maximum amount for that particular bug would be 300 million GRT."

Severity payouts range from roughly $5,000 to $200,000 for low and high-risk vulnerability discoveries. 

"Last year more than $200 million were stolen by hackers through DeFi exploits and hacks that indeed question the effectiveness of traditional security methods," commented Mitchell Amador, Immunefi CEO. "We at Immunefi strive to protect projects against smart contract hacks by helping create, run, and promote best practice bug bounty programs, and we're excited to move forward with The Graph."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0