Sui Bug Bounty Program

Impacts in Scope

The following impacts are accepted within this bug bounty program--refer to Sui's HackenProof Bug Bounty Program Page for an official and up-to-date listing. All other impacts are considered out-of-scope and ineligible for payout.

Critical - $500,000 USD

Exceeding the maximum supply of 10 billion SUI + allowing the attacker to claim the excess funds
‍
Loss of Funds which includes:
- Unauthorized creation, copying, transfer or destruction of objects via bypass of or exploit of bugs in the Move or Sui bytecode verifier

- Address Collision – creating two distinct authentication schemes that hash to the same SUI address in a manner that lead to significant loss of funds

- Object ID collision — creating two distinct objects with the same ID in a manner that leads to significant loss of funds.

- Unauthorized use of an owned object as a transaction input, resulting in significant loss of funds due to the inability to verify ownership and permission to transfer

- Dynamically loading an object that is not directly or transitively owned by the transaction sender, in a manner that leads to significant loss of funds

- Unauthorized upgrade of a Move package, in a manner that leads to significant loss of funds

- Stealing staking rewards that belong to another user, or claiming more than a user’s share of staking rewards, not including rounding errors that result in a minor, financially insignificant discrepancy
‍
Violating BFT assumptions, acquiring voting power vastly disproportionate to stake, or any other issue that can meaningfully compromise the integrity of the blockchain’s proof of stake governance does not include the following:

- Voting power that is redistributed because one or more other validators already has max voting power

- Rounding errors that result in minor voting power discrepancies
‍
Network not being able to confirm new transactions (total network shutdown) requiring a hard fork to resolve
Arbitrary, non-Move remote code execution on unmodified validator software

‍

High - $50,000 USD

Temporary total network shutdown or unintended chain split (duration greater than 10 minutes)

Medium - $10,000 USD

A bug that results in unintended and harmful smart contract behavior with no concrete funds at direct risk
Unintended, permanent burning of SUI under the max cap.
Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network

Low - $5,000 USD

Sending a transaction that triggers invariant violation error code in unmodified validator software
A remote call that crashes a Sui full node

General

All of the program details along with a link to the dashboard to report a bug are available on HackenProof’s bounty program page for Sui.

If you find a bug or vulnerability, report it using the HackenProof dashboard. You should receive an acknowledgement of your report within 48 hours for critical vulnerabilities and 96 hours for all other vulnerabilities.

Sui and HackenProof will be conducting Office Hours to answer questions. A date will be announced on Twitter by @SuiNetwork. If you are not able to attend, you can email questions to [email protected].

The program is funded and managed by the Sui Foundation, in partnership with HackenProof.

Tab 2 title 1

Tab 2 Content for title 1 lorem ipsum dalor valor ganor.

Find Bugs.
Earn Bounties.

Impacts in Scope

Where can I find more information on the bug bounty program?

How do I join the program?

Where can I get technical questions answered?

Who is behind this program?

Tab 2 title 1

Find Bugs.Earn Bounties.

Impacts in Scope

Where can I find more information on the bug bounty program?

How do I join the program?

Where can I get technical questions answered?

Who is behind this program?

Tab 2 title 1

Find Bugs.
Earn Bounties.