Chainlink

Chainlink is an open-source, generalized framework for building and connecting to decentralized oracle networks that give your smart contract access to secure and reliable data inputs and outputs. Through Chainlink, developers can connect their smart contracts to data providers, web APIs, enterprise systems, cloud providers, IoT devices, payment systems, other blockchains, and much more.

The Chainlink Bug Bounty Program is designed to encourage developers, especially smart contract developers, to evaluate the open-source code base and hunt for critical bugs, with a focus on issues that puts the funds of users at risk.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All bug reports are required to include a PoC. Bug reports without a PoC will be rejected.

Independently of the severity, if a suggestion on how to fix the vulnerability is provided, the bounty may be increased.

Claiming that other bug bounties accept such a bug will not be considered as a valid claim and nor presuming the severity because of theoretical scenarios.

All citizens and residents of Iran and North Korea, as well as other US sanctioned countries, are not eligible to receive a reward for bug reports submitted.

Payouts are handled by the Chainlink team directly and are denominated in USD. Payouts are done in LINK.

Asset https://explorer.chain.link is in-scope only for vulnerabilities directly causing a loss of service.

For web/app bug reports, only those that directly affect the assets in scope are accepted.

Known issues listed here are not accepted as within the scope of this bug bounty program, regardless of the asset being within the scope of the program.

Additional Information and Resources

The Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. Job Specifications are added to the node through a REST API so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available here.

We have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs.

The Complete Setup Guide for a Chainlink Development Environment

Running a Chainlink Node

Fulfilling Requests

Impacts in Scope

These are the main areas of impact we want to prevent based on asset:

• Chainlink Node Software (https://github.com/smartcontractkit/chainlink) and its Smart Contracts:

  • Loss of funds for the node operator or requester will have the highest impact.

• Solidity Smart Contracts (https://github.com/smartcontractkit/chainlink/evm-contracts):

  • Abuse of functionality through Chainlink requests.

• LINK Testnet Faucets (ropsten.chain.link; rinkeby.chain.link; kovan.chain.link):

  • Proven loss of service to these faucets is not high impact but we would care about it.

• Explorers (https://github.com/smartcontractkit/chainlink/explorer):

  • Proven loss of service and information disclosure.

• Feeds / Data (data.chain.link): Proven loss of service.

In general the main focus should be:

• Exploitation of node software that leads to a loss of either link/disabling of node service
• Vulnerabilities in the protocols

We are especially interested in receiving and rewarding vulnerabilities of the following types:

Smart Contracts and Blockchain

• Re-entrancy
• Logic errors
  • including user authentication errors
• Solidity/EVM details not considered
  • including integer over-/under-flow
  • including unhandled exceptions
• Trusting trust/dependency vulnerabilities
  • including composability vulnerabilities
• Oracle failure/manipulation
• Novel governance attacks
• Economic/financial attacks
  • including flash loan attacks
• Congestion and scalability
  • including running out of gas
  • including block stuffing
  • including susceptibility to frontrunning
• Consensus failures
• Cryptography problems
  • Signature malleability
  • Susceptibility to replay attacks
  • Weak randomness
  • Weak encryption
• Susceptibility to block timestamp manipulation
• Missing access controls / unprotected internal or debugging interfaces

Websites and Apps

• Remote Code Execution
• Trusting trust/dependency vulnerabilities
• Vertical Privilege Escalation
• XML External Entities Injection
• SQL Injection
• LFI/RFI
• Horizontal Privilege Escalation
• Stored XSS
• Reflective XSS with impact
• CSRF with impact (except for unauthenticated/logout/login)
• Direct object reference
• Internal SSRF
• Session fixation
• Insecure Deserialization
• Direct object reference
• Path Traversal
• DOM XSS
• SSL misconfigurations
• SPF configuration problems
• SSL/TLS issues (weak crypto, improper setup)
• URL redirect
• Clickjacking
• Misleading Unicode text (e.g. using right to left override characters)
• Coercing the application to display/return specific text to other users

In addition to all known issues listed here, the following vulnerabilities are excluded from the rewards for this bug bounty program:

All Programs

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github, will be considered out of scope without proof that they are in-use in production

Smart Contracts and Blockchain

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks

Websites and Apps

• Theoretical vulnerabilities without any proof or demonstration
• Self-XSS
• Captcha bypass using OCR
• CSRF with no security impact (logout CSRF, change language, etc.)
• Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
• Server-side information disclosure such as IPs, server names, and most stack traces
• Vulnerabilities used to enumerate or confirm the existence of users or tenants
• Vulnerabilities requiring unlikely user actions
• URL Redirects (unless combined with another vulnerability to produce a more severe vulnerability)
• Lack of SSL/TLS best practices
• DDoS vulnerabilities
• Attacks requiring privileged access from within the organization
• Any subdomain of *.smartcontract.com
• Intercom add-on on any asset (the in-browser chat application)
• SGX-related issues or vulnerabilities
• Issues/bugs/vulnerabilities specific to the given Ethereum client (Geth or Parity)
• OS-related vulnerabilities
• Clickjacking on pages with no sensitive actions
• Attacks requiring MITM or physical access to a user's device.
• Previously known vulnerable libraries without a working Proof of Concept.
• Comma Separated Values (CSV) injection without demonstrating a vulnerability.
• Email or DNS configurations
• Site or domain configuration
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Unauthenticated/logout/login CSRF
• Previously known vulnerable libraries without a working Proof of Concept
• Missing best practices in SSL/TLS configuration

The following activities are prohibited by bug bounty program:

• Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
• Any activity that could lead to the disruption of our service (DoS; please set up POCs on a private chain).
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of an unpatched vulnerability in an embargoed bounty