Cartesi DApp Incubation Program -Build your DApp in Linux with Cartesi. $80k+ in prizes to the best 3 DApps! Learn more here. ×
Grow Open Source Bounties Hackathons Grants Quests Kudos
Gitcoin Virtual Hackathon

Chainlink Bug Bounty Program

Aug 7, 2020 - Sep 30, 2020

Chainlink Bug Bounty Program

Chainlink is an open-source, generalized framework for building and connecting to decentralized oracle networks that give your smart contract access to secure and reliable data inputs and outputs. Through Chainlink, developers can connect their smart contracts to data providers, web APIs, enterprise systems, cloud providers, IoT devices, payment systems, other blockchains, and much more. The Chainlink Bounty Program is designed to encourage smart contract developers to evaluate the open-source code base and hunt for critical bugs.

This gives developers a chance to learn about how the most widely used oracle throughout DeFi works on the backend, enabling developers to become more familiar with Chainlink Nodes and Chainlink’s core smart contracts. Prizes will be paid out in LINK for any unique vulnerability, especially for anything that puts user funds at risk.

Bounty Prizes

Please use this for general guidance. All final decisions are at the discretion of SmartContract. For reports affecting the node through an on-chain Chainlink request, we will provide a bonus.

Severity & Payment in LINK

Low - $2,000

Medium - $4,000

High - $8,000

Critical - $16,000

Information & Resources

The Chainlink node is a part of a decentralized oracle network used to feed data to smart contracts. Job Specifications are added to the node through a REST API so that it knows what tasks to perform. The Chainlink node utilizes a websocket connection (for pubsub) to an Ethereum client (Geth or Parity) in order to watch for new blocks containing specific event logs. Once the external data is retrieved, the Chainlink node will sign the transaction, and broadcast it through the Ethereum client (the wallet is stored on the Chainlink node, not the Ethereum client). An overview of the architecture is available here.

Scope

Core Node

https://github.com/smartcontractkit/chainlink/tree/master/core

The Chainlink node and its smart contracts are the core focus of this program. Issues related to a loss of funds for the node operator or requester will take the highest bounty reward. There are a few areas of this code base which are out-of-scope, see the Scope section at the bottom of this page for details.

We also have a project tracker where existing bugs are kept. Be sure to check there for issues that we already know about.

Solidity Smart Contracts

https://github.com/smartcontractkit/chainlink/tree/master/evm-contracts

The smart contracts residing on the Github repository are in scope and will be awarded with bonuses if a vulnerability is found through creating Chainlink requests.

LINK Testnet Faucets

ropsten.chain.linkrinkeby.chain.link, & kovan.chain.link

The faucets provide users with the ability to receive test LINK on test networks. Since they are test networks, we are more concerned with vulnerabilities which would cause a loss of service.

Explorers

explorer.chain.link, ropsten.explorer.chain.link, rinkeby.explorer.chain.link, kovan.explorer.chain.link

github.com/smartcontractkit/chainlink/explorer

Chainlink Explorer allows requesters to view information about their request without requiring access to the Chainlink node themselves.

Feeds UI

feeds.chain.link

github.com/smartcontractkit/chainlink/feeds

The application and source code driving the Decentralized Price Reference Data page.

Installation & Setup

We have guides available for how to get a Chainlink node running locally. See the links below for step-by-step walk-throughs. Feel free to reach out on our Discord for help.

Program Rules

  • Email reports to bounty@chain.link
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

Thank you for helping keep Chainlink and our users safe!

bounty explorer
Check out the Prizes

Visit the Prize Explorer to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.

express interest
Join the Hackathons Chat Workspace

Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time. Click here to join the party!.

bounty explorer
Start Work via Gitcoin

When your team is formed please have one of your teammates navigate to each prize page you plan to compete for and click the “Start Work” button.

express interest
BUIDL!

Build your cool ideas and make your vision come true with your team!

bounty explorer
Submit Work via Gitcoin

When your project is completed, submit your work by clicking the “Submit Work” button on the prize page/