Sei Bug Bounty Is Live On Immunefi

Sei Bug Bounty Is Live On Immunefi

If you are a security researcher, developer, or white hat, you can apply here to find out current details of the program and take part.

As the Sei ecosystem continues to grow, the potential for bugs and vulnerabilities can theoretically arise. The Sei Foundation takes security extremely seriously, which is why a Sei bug-bounty program has been launched in collaboration with Immunefi, the leading bug bounty and security services platform for Web3, protecting over $60 billion in user funds. 

The bug bounty program incentivizes white hat hackers to report issues, helping maintain a secure and stable platform while rewarding responsible disclosure.

The bug bounty program focuses on identifying vulnerabilities in specific theoretical cases to prevent issues. The following impacts are accepted within this bug bounty program--refer to the Immune-Fi page for an official and up-to-date listing. All other impacts are considered out-of-scope and ineligible:

Blockchain/DLT

  • Network not being able to confirm new transactions
  • Unintended permanent chain split requiring hard fork
  • Direct loss of funds
  • Permanent freezing of funds
  • Unintended chain split
  • Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments
  • Causing network processing nodes to process transactions from the mempool beyond set parameters
  • RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
  • Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours
  • Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network
  • A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk
  • Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network
  • Modification of transaction fees outside of design parameters

Websites and Applications 

  • Execute arbitrary system commands
  • Retrieve sensitive data/files from a running server such as: /etc/shadow, database passwords, blockchain keys
  • Taking down the application/website
  • Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user
  • Subdomain takeover with already-connected wallet interaction
  • Direct theft of user funds
  • Malicious interactions with an already-connected wallet such as: Modifying transaction arguments or parameters, Substituting contract addresses, Submitting malicious transactions
  • Direct theft of user NFTs
  • Injection of malicious HTML or XSS through NFT metadata
  • Injecting/modifying the static content on the target application without Javascript
  • Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction
  • Improperly disclosing confidential user information such as: Email address, Phone number, Physical address, etc.
  • Subdomain takeover without already-connected wallet interaction
  • Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction
  • Injecting/modifying the static content on the target application without Javascript
  • Redirecting users to malicious websites
  • Changing details of other users (including modifying browser local storage) without already-connected wallet interaction and with significant user interaction
  • Taking over broken or expired outgoing links
  • Temporarily disabling user to access target site

Please visit https://immunefi.com/bounty/sei/ for the scope table and the terms and conditions regarding the bug bounty program, including eligibility criteria. Vulnerabilities must meet the criteria as determined by the Sei Foundation.

The bounties range from $1000 to a maximum of $2,000,000 depending on the level of vulnerability and threat, ranging from low to critical degrees. Check out all code of Sei Chain to learn more about Sei and initiate your bug hunting journey on Immunefi.

About Immunefi

Immunefi is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services. 

For more information, please visit https://immunefi.com.

About Sei Foundation

The Sei Foundation is a non profit organization created with the mandate to empower builders and contributors to the Sei blockchain, and further decentralize the blockchain over time.

About Sei Labs

Sei Labs is a contributor to the open-source Sei blockchain, the fastest Layer 1 for trading. Sei's unique chain-level optimizations enable decentralized exchanges and trading apps to offer the best user experience with modern performance and scalability. The Sei Labs team is composed of industry veterans from Goldman Sachs, Databricks, Robinhood, Google, and Nvidia.