The Graph Bug Bounties

Program Overview

The Graph is an indexing protocol for querying networks like Ethereum and IPFS. It is a decentralized network comprised of multiple stakeholders incentivized to build and offer an efficient and reliable open data marketplace, through GraphQL-based APIs.

The Graph learns what and how to index Blockchain data based on subgraph descriptions, known as the subgraph manifest. The subgraph description defines the smart contracts of interest for a subgraph, the events in those contracts to pay attention to, and how to map data to data that The Graph will index and store in its decentralized network, to be served by Indexers. Indexers are network participants responsible for running their own infrastructure capable of indexing subgraphs and subsequently serve such data.

The network is fully permissionless, meaning that every stakeholder can design, implement and deploy subgraphs, with Indexers choosing which subgraphs to index based on a number of factors such as Curators’ interest (signaling high-quality ones which may result in high query volume). Delegators are another key network participant in this open data economy, who delegate their stake towards Indexers, receiving, in turn, a portion of both network rewards and fees from subsequently served queries. Like Delegators, Curators also receive a portion of the query fees, when staking their own GRT in a subgraph’s bounding curve (signaling).

For more information about The Graph, please visit their website at https://thegraph.com/.

The bug bounty program, managed and funded by The Graph Foundation, is focused on the prevention of negative impacts to the whole ecosystem, such as:

Loss of User Funds
Exposure of private information (keys, PII)
Determinism bugs that could lead to incorrect or inconsistent query results by - Indexers in the network
Vulnerabilities in the Indexer software (eg. Graph Node, Indexer CLI) that could result in the Indexer being slashed or not running effectively
Vulnerabilities that could degrade the indexing or querying service
Bugs that could facilitate Sybil attacks

However, bugs that are known from currently unpublished third-party audits, which will be publicly published by September 15, 2021, are not considered as in-scope of the bug bounty program, as well as other things listed as out-of-scope in the relevant section below. Bug bounty hunters submit bug reports at their own risk of being rejected as a known issue.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from the consequence of exploitation to privilege required to the likelihood of a successful exploit.

Rewards for critical vulnerabilities are capped at 10% of economic damage, primarily focusing on the possible loss of funds for Indexers, Delegators, and Curators at Smart Contract level only, but also taking into consideration other aspects such as branding and PR, at the discretion of The Graph Foundation.

In order to qualify for a reward, bug bounty hunters will need to provide KYC through https://register.thegraph.com. Additionally, all bug reports must come with log components, reproduction, and data about vulnerabilities to support learnings and bug fixes. This can be satisfied by providing relevant screenshots, docs, code, and steps to reproduce the issue.

Payouts are handled by The Graph Foundation and are denominated in USD. All payouts are done in GRT.

Smart Contracts and Blockchain

Level	Payout
Critical	Up to USD $2,500,000
High	USD $200,000
Medium	USD $20,000
Low	USD $5,000
None	$0

Assets in Scope

Target	Type
https://etherscan.io/address/0x24CCD4D3Ac8529fF08c58F74ff6755036E616117#code	Smart contract - controller
https://etherscan.io/address/0xc944E90C64B2c07662A292be6244BDf05Cda44a7	Smart contract - graphToken
https://etherscan.io/address/0x64F990Bf16552A693dCB043BB7bf3866c5E05DdB	Smart contract - epochManager
https://etherscan.io/address/0x97307b963662cCA2f7eD50e38dCC555dfFc4FB0b	Smart Contract - disputeManager
https://etherscan.io/address/0xF55041E37E12cD407ad00CE2910B8269B01263b9	Smart contract - staking
https://etherscan.io/address/0x8FE00a685Bcb3B2cc296ff6FfEaB10acA4CE1538	Smart contract - curation
https://etherscan.io/address/0x9Ac758AB77733b4150A901ebd659cbF8cB93ED66	Smart contract - rewardsManager
https://etherscan.io/address/0xaD0C9DaCf1e515615b0581c8D7E295E296Ec26E6	Smart contract - serviceRegistry
https://etherscan.io/address/0xaDcA0dd4729c8BA3aCf3E99F3A9f471EF37b6825	Smart contract - GNS
https://etherscan.io/address/0xFCf78AC094288D7200cfdB367A8CD07108dFa128	Smart Contract - GraphTokenLockManager (Token Distribution - https://github.com/graphprotocol/token-distribution)
https://etherscan.io/address/0xbE5e630383b5BAEcF0Db7b15C50d410edD5A2255	Smart Contract - GraphTokenLockWallet (Token Distribution - https://github.com/graphprotocol/token-distribution)
https://github.com/graphprotocol/graph-node	Graph Node (Indexer Software Stack)
https://github.com/graphprotocol/agora	Agora (Indexer Software Stack)
https://github.com/graphprotocol/indexer	Indexer (Indexer Software Stack)

Impacts in Scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in the scope table.

Applicable to all assets in scope

A bug in a smart contract, gateway, or the default Indexer software that could result in funds being lost (not including slashing)
A bug that could cause incorrect payouts of query fees or indexing rewards
An economic attack that could result in Indexers, Curators or Delegators losing a significant amount of funds or being exploited
A bug that could cause network participants to be impersonated and unwanted actions being taken (eg. funds being transferred)
A bug in a smart contract or the default Indexer software that could result in private information being stolen
A bug that allows remote code execution resulting in private information being stolen
A bug that could make it difficult or impossible to run an Indexer effectively
A bug that could halt or delay an Indexer’s ability to process a query or receive payments
A bug in a smart contract or the default Indexer software that could result in a “halt" or an impact on liveness
A bug whereby an attacker does not pay sufficient GRT fees for the load they exert on the network
A vulnerability that could cause two or more Indexers to provide different results for the same query when the approved code is run
A vulnerability that could cause inaccurate query data to be served
A bug that could cause the service functionality, throughput, or utility to be degraded but not disabled
A griefing attack on the services provided or network participants
A bug that could encourage or incentivize sybil attacking or impersonating users

Applicable to graph-node only

A bug that could lead to non-deterministic syncing of subgraph data

Impacts and Vulnerabilities Not in Scope

There are several known potential exploits on Ethereum and The Graph infrastructure. Bounty hunters will not be rewarded for reporting these:

Frontrunning, including backrunning and sandwich attacks
Bugs already identified in external third-party audits
- These audits will be publicly published by September 15, 2021. Until then, bug reports may be rejected if the vulnerability is determined by The Graph Foundation to be a known issue. The Graph Foundation will, however, inform the bug reporter within 72 hours of escalation that the bug report is a known issue.
- Natural network activity like curation whose involved mechanisms could result in unprofitable actions for the particular stakeholder

Additionally, all of the following vulnerabilities and bug report types are not considered as in-scope in this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks that rely on social engineering
Attacks requiring access to leaked keys/credentials
Incorrect data supplied by third party oracles
Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks

Rules and Requirements

All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.

Report Responsibly

Report vulnerabilities to The Graph first by submitting a bug report on Immunefi, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.

Don't Exploit Reported Bugs

Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

Don’t Violate Privacy

Do not violate the privacy of network users, other bounty hunters, or The Graph.

Don’t Attack or Defraud The Graph

Do not attack The Graph team, operations, or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.

Please also note reporting requirements:

Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.
Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs, and code)
Single vulnerabilities can be submitted per form, multiple submissions for the same vulnerability will not be counted
Bounty hunters can submit multiple bug reports
Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).