The Cosmos Stargate testnet release candidate is ready to launch. The various Cosmos teams responsible for delivering this new software are excited to enlist the help of the community to identify critical bugs that may have made it past engineering and integration testing so far. We depend on the community to assist us with testing so that we can increase confidence in the software release. Thus, for Stargate we will launch a special bug bounty program that will last from today through December 31, 2020. Rewards for this program will be temporarily increased from rewards in prior programs to encourage the community to actively support bug discovery.
Submit bugs at our Hacker One program: https://hackerone.com/tendermint
The Cosmos Stargate release teams include the Cosmos SDK, IBC, Tendermint Core, and IBC Relayer teams. We all believe that proactively finding and fixing bugs is a vital part of building strong, resilient blockchain protocols.
Our program exists to actively reward the people who discover bugs in our protocol and the products we’re building.
Recent changes to the code include a transition from an in-house serialization system to Protobuf, major new Tendermint Core features like state sync and the first implementation of Cosmos’s flagship Inter-blockchain Communication (IBC) protocol. These are high priority for the security community to review.
Bounty rewards are based on many factors including impact, risk, likelihood of exploitation, and report quality. We use the CVSS framework to score all reports in a standardized and fair way.
Only for the Cosmos Stargate Release and only until December 31st 2020, we’ve increased the rewards for bugs and they will be classified into these categories for payout:
- Critical: $5,000 and up
- High: $3,000 and up
- Medium : $1,000 and up
- Low: up to $200
While there is no maximum program reward, we value creative or severe bugs and we will reward them accordingly. The Trail of Bits team will evaluate each report and is responsible for rating the severity of each bug submitted. At our discretion, we may choose to reward high-quality reports or creative lower-tier bugs at a higher-tier level.
If we receive duplicate bug reports, we will award a bounty, if applicable, to the first person who reported the issue. Once resolved, valid issues reported to this program will be disclosed responsibly once they have been remediated.
The Cosmos Stargate release consists of upgrades and breaking changes to the Cosmos SDK, Tendermint, Gaia, and IBC codebases. Below is a brief summary of the changes to each project and links to their respective repositories:
The Cosmos Hub has been running since December 2019 using the v0.32 series of Tendermint (latest version v0.32.13). There have since been major protocol breaking upgrades and various other changes introduced in the v0.33 and v0.34 releases of Tendermint, that have not yet been deployed to the Cosmos Hub (see the many v0.33 and v0.34 series release notes in the CHANGELOG). We are especially interested in security regressions, risks, DoS, and other security vulnerabilities introduced with these changes. These changes include:
- Migration from Amino to Protocol Buffers (see example regression)
This in particular has a lot of surface area for regressions and other bugs, including malleable messages, invalid size bounds, serialization-related DoS, etc.. See the Tendermint 0.34, Protocol Buffers, and You post for context on this migration.
- Commit data structure refactor (see example regression)
- Upgraded light client protocol (see example regression)
- Upgraded evidence handling reactor protocol (for validator accountability, and especially for attacks on light clients)
- New state sync reactor protocol for quickly downloading the application state
- Block pruning
The Cosmos Hub has been running since December 2019 using the v0.37 series of the Cosmos-SDK (latest version v0.37.14). There have since been major protocol breaking upgrades and various other changes introduced in the v0.38, v0.39, and v0.40 releases of the Cosmos-SDK, that have not yet been deployed to the Cosmos Hub (see the major v0.38.0, v0.39.0, and v0.40.0 release notes, or view all changelog entries directly in the CHANGELOG). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes.
Since v0.39.1 (the most recent published version of the Cosmos SDK), the major changes include:
- Migration of the SDK’s primary serialization format from Amino to Protocol Buffers
- Introduction of single application binary ( + upgrade daemon)
- New testutil package for in-process integration tests / testnet testing framework
Virtually all the relevant changes that affect Gaia are contained in the Cosmos-SDK repository. That said, the Gaia repo still composes the application and pulls everything together, and is the place where the binaries are ultimately built from. While the Cosmos Hub has been running the v2 series of Gaia releases since December, the v3 release will include updating for all the relevant changes in the Cosmos-SDK and Tendermint, and especially adding support for new modules like IBC.
The inter-blockchain communication (IBC) protocol is implemented within the Cosmos-SDK repository, in particular within the `x/ibc` directory. All sub-modules within `x/ibc` in the Cosmos-SDK are in scope. See both the IBC implementation documentation and the IBC protocol specification.
The Cosmos Hub has been running since December 2019 using the v0.12.4 release of the IAVL. There have since been major breaking upgrades and various other changes introduced in the v0.13, v0.14, and v0.15 releases of the IAVL that have not yet been deployed to the Cosmos Hub (see the many v0.13, v0.14, and v0.15 series release notes in the CHANGELOG). We are especially interested in security regressions, security risks, DoS, and other security vulnerabilities introduced with these changes. These changes included, primarily, better support and fixes for pruning the database, and migrating from Amino serialization to Protocol Buffers.
The following additional repositories are also in scope:
While these have seen fewer changes than the other repos, they are all highly security critical as they handle private key material and secure hardware signing for both validators and token holders
To qualify for a bounty, bugs must be:
- Valid on the master branch of the corresponding repository.
- Valid for 64-bit machines with at least 2 GB RAM.
- Valid on Tendermint clusters where less than ⅓ of the nodes are faulty or malicious.
We’re interested in a full range of bugs with demonstrable security risk: from those that can be proven with a simple unit test, to those that require a full cluster and a complex sequence of transactions.
Examples of vulnerabilities that are of interest to us include memory allocation bugs, race conditions, timing attacks, information leaks, authentication bypasses, incorrect block validation, denial of service (specifically at the application- or protocol-layer), lost-write bugs, unauthorized account or capability access, stolen funds, token inflation bugs, payloads/transactions that cause panics, and so on. We are also interested in vulnerabilities that highlight clusters where more than ⅓ of the nodes may become faulty or malicious.
Please see here for a quick-start guide to getting Tendermint running so you can start hunting for bugs. To work with Cosmos-SDK, start here to learn more about getting it up and running in your testing environment.
All other associated websites, services, and sub-domains are out of scope, including:
Though bugs in the services that we use are important to us, they are ineligible for program rewards. Any bugs that are found in services that we use (i.e. Mailchimp, Meetup, Discord, and Telegram) should be disclosed directly to those services.
Scanner-generated reports and “Advisory” or “Informational” reports that do not include any Tendermint or Cosmos specific testing or context are ineligible for rewards. Additionally, clickjacking as a single finding and issues requiring social engineering components are ineligible for reward as part of this program. However, we may accept clickjacking as part of a chain. We also assume that all server environments have not been compromised before and during testing by other adversarial software or actors.
See our Security Policy Document for more details on submissions and rewards.