Rooch Network's first bug bounty program received active participation from developers and security experts across various fields. With their support, Rooch successfully fixed identified vulnerabilities, enhancing the network's security and stability.
Building on the positive response and valuable experience from the first phase, and with Rooch Network's pre-mainnet approaching, we are launching the second bug bounty phase. We warmly invite global developers and security experts to join us in identifying and resolving potential security vulnerabilities. The reward pool remains at an impressive $200,000—looking forward to your active participation!
Vulnerability Categories and Rewards
Critical Vulnerabilities (First Prize)
- Coin or Minting Vulnerabilities: Ability to mint or create coins by invoking system contracts.
- Privilege Escalation: Gaining system account permissions and executing arbitrary transactions.
- Move Verifier Bypass: Bypassing one or more checks of the Move Verifier, allowing improper deployments and transaction executions.
- Private Generics Bypass: Bypassing the
private_generics
attribute check. - Data Structure Bypass: Bypassing the
data_struct
attribute check. - Borrow Restriction Bypass: Bypassing the restriction allowing only one mutable borrow during
borrow_object
. - Bytecode Instruction Exploits: Utilizing Move built-in instructions in bytecode for improper transactions.
- Transaction Validation Bypass: Bypassing transaction Validator checks.
- Gas Fees Exploits: Executing transactions without paying Gas fees.
- Network Forking: Actions leading to network forking.
- Transaction Forgery and Replay: Forging or replaying transactions.
Medium Severity Vulnerabilities (Second Prize)
- Node Crash (BTC Transactions): Constructing specific BTC transactions causing node process crashes.
- SessionKey Bypass: Bypassing SessionKey security restrictions.
- RPC Interface Crash: Submitting specially formatted transactions through the RPC interface causing node crashes.
- Contract Vulnerabilities in GasMarket, GasFaucet, GrowBitcoin: Authorization and logical vulnerabilities in specified contracts.
- Oracle Data Security: Errors or Sybil attacks in the BTC Price Oracle contract data.
Low Severity Vulnerabilities (Third Prize)
- Memory Overload: Submitting specially formatted transactions via the RPC interface causing excessive node memory usage.
- High CPU Usage: Submitting specially formatted transactions via the RPC interface causing increased CPU usage.
- Denial of Service Attacks: Other forms of denial of service attacks.
- Third-Party Dependencies and Library Vulnerabilities: Unaddressed known vulnerabilities in third-party libraries or dependencies.
- Data Consistency and Integrity Issues: Data consistency issues in the database or storage layer, and bypassing data integrity checks.
User Experience and Data Abnormalities (Fourth Prize)
- Inconsistencies between UTXO data on Rooch and the Bitcoin mainnet.
- Abnormalities in CLI, Portal, or other developer or end-user products on Rooch.
- Vulnerabilities in example or demo code.
Scope of Vulnerabilities and Exclusions
This program targets the primary repository https://github.com/rooch-network/rooch/ (opens in a new tab) and includes:
- Core code of Rooch Network (Rust)
- Rooch Move Framework (Move)
- Rooch DApps (Move)
- Rooch SDK (TypeScript/JavaScript)
- Rooch Portal (TypeScript/JavaScript)
- Data anomalies and functionalities specific to the Pre-Mainnet network
The following vulnerabilities are excluded from this bug bounty program:
- Bitcoin network reorganization affecting more than 3 blocks due to hash power attacks. As Bitcoin’s Layer 2, Rooch has a 3-block confirmation delay and automatically enters maintenance mode if reorganization exceeds 3 blocks, requiring manual intervention.
- Attacks through social engineering or phishing.
- Non-standard address formats or unlock scripts identifying UTXO owners as 0x4.
- Data inconsistency due to delayed confirmation.
- Front-end data or page state issues, rendering anomalies, etc. (e.g., page rendering issues due to incompatible data formats, JavaScript exceptions).
- Issues already logged in GitHub Issues or involving features under development that have not been released on Pre-Mainnet.
How to Participate
Submitting a Bug Report
If you discover any of the above vulnerabilities on the testnet, please follow these steps to submit your report:
- Prepare Your Report:
- Vulnerability Type: Clearly indicate the type of vulnerability.
- Vulnerability Description: Provide a brief description of the vulnerability's nature and impact.
- Reproduction Steps: Explain the steps to reproduce the vulnerability in detail.
- Environment Information: Include testnet version, node configuration, etc.
- Screenshots or Logs: Attach related screenshots or error logs (if applicable).
- Submission Channel:
- GitHub Submission: Create a "Report a security vulnerability" Issue in our GitHub project and attach your report. Do not create it as a public Issue. https://github.com/rooch-network/rooch/issues/new/choose (opens in a new tab)
Important Notes
- All discovered vulnerabilities must be submitted through the above channels and not publicly disclosed.
- Please include your contact information (GitHub ID, email address) in the report so we can communicate with you and distribute the rewards. If you cannot be reached during the reward distribution period, it will be considered a waiver of the bounty.
Reward Details
The total reward pool for this program is $200,000. Rewards will be allocated based on the type and impact of the vulnerability and will be valued in USD, distributed in Rooch mainnet tokens after the Rooch mainnet token generation event (TGE).
Program Duration
12 pm, Nov 15th - 12 pm, Dec 15th (UTC+8)
We will carefully evaluate each report and contact you within a reasonable time frame.
Join Us in Enhancing Rooch's Security!
Security is the foundation of the Rooch Network, and your contributions will help improve its security and stability. We welcome your participation in identifying vulnerabilities or suggesting improvements. Together, let’s build a safer and more reliable native BTC application layer for Rooch’s future development. Thank you for your support and contributions! We look forward to working together in this event!
We would like to remind you that the final interpretation rights for this event rest solely with Rooch.