IMPORTANT: If you find a security issue, you can contact our team directly at security@tendermint.com, or report it to our bug bounty program on HackerOne. DO NOT open a public issue on the repository.

As part of our Coordinated Vulnerability Disclosure Policy, we operate a bug bounty program with Hacker One.

See the policy linked above for more details on submissions and rewards and read this blog post for the program scope.

The following is a list of examples of the kinds of bugs we're most interested in for the Cosmos SDK. See here for vulnerabilities we are interested in for Tendermint and other lower-level libraries (eg. IAVL).

• /baseapp
• /crypto
• /types
• /store

• x/auth
• x/bank
• x/capability
• x/staking
• x/slashing
• x/evidence
• x/distribution
• x/ibc
• x/ibc-transfer
• x/mint

We are interested in bugs in other modules, however the above are most likely to have significant vulnerabilities, due to the complexity / nuance involved. We also recommend you to read the specification of each module before digging into the code.

• Integer operations on tx parameters, especially sdk.Int / sdk.Dec
• Gas calculation & parameter choices
• Tx signature verification (see x/auth/ante)
• Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)

• HD key derivation, local and Ledger, and all key-management functionality
• Side-channel attack vectors with our implementations
  • e.g. key exfiltration based on time or memory-access patterns when decrypting privkey