The Graph

There are known potential exploits on The Graph infrastructure and on blockchains where the protocol is deployed to: Ethereum and Arbitrum One. Bounty hunters will not be rewarded for reporting these:

• Frontrunning, including back running and sandwich attacks
• Known issues previously reported in security audits are out of scope. All protocol audits can be found here: https://www.notion.so/thegraphfoundation/External-Protocol-Audits-95b73b22af3341b6933d74465f5f7059
  • Specifically related to OpenZeppelin’s “The Graph Protocol Audit” (August 31, 2020), C01 and C02 have already been addressed by the core dev team. More on C02 can be found here: https://forum.thegraph.com/t/openzeppelin-protocol-audit-prysm-groups-c02-economic-attack-resolution-summary/3280?u=pedro
• Natural network activity like curation whose involved mechanisms could result in unprofitable actions for the particular stakeholder

Additionally, all of the following vulnerabilities and bug report types are considered out-of-scope in this bug bounty program (though, as noted above, The Graph Foundation may occasionally make an exception and issue a reward for a material, out-of-scope impact):

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks that rely on social engineering, including requiring victim to visit an out-of-scope url
• Attacks requiring access to victim’s machine
• Attacks requiring access to keys, passwords, or other credentials which were leaked
• Attacks of third-party service providers, which could have a negative impact on The Graph i.e. misconfigurations on 3rd-party services like CloudFlare etc.
• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Indexer port configurations not aligned with best practices
• Sybil attacks
• Attacks that have the potential to impact token price
• Testnet assets
• “Man in the middle” attacks

Rules and Requirements All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.

Report Responsibly

Report vulnerabilities to The Graph first by submitting a bug report on Immunefi, to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for The Graph to fix the bug before sharing publicly.

Don't Exploit Reported Bugs

Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

Don’t Violate Privacy

Do not violate the privacy of network users, other bounty hunters, or The Graph.

Don’t Attack or Defraud The Graph

Do not attack The Graph team, operations, or technology (eg. DDOS attack, spam, social engineering) or defraud The Graph team or network users.

Please also note reporting requirements:

• Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.

• Vulnerabilities must be reproducible by The Graph team (please include all relevant links, docs, and code)

• Single vulnerabilities can be submitted per report, multiple submissions for the same vulnerability will not be counted. In case the same vulnerability and/or exploit applies to different assets in scope, these must be mentioned in a single report.

• Bounty hunters can submit multiple bug reports

• Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

• The Graph and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).