Spot vulnerabilities, earn rewards
The Walrus bug bounty program offers rewards up to $100,000
What's in scope?
The following types of vulnerabilities are eligible for rewards under the Walrus bug bounty program. For the most accurate and current list, please refer to our official page on HackenProof. Issues outside of this defined scope may not qualify for a bounty.
Vulnerabilities that, if exploited in the current deployment on Walrus Mainnet, could result in loss of funds exceeding $100,000 in notional value. Example: Theft of accumulated system rewards that are stored in the Walrus system smart contract.
- Data Loss/Deletion: Vulnerabilities that enable an attacker to perform unauthorized/unintended deletion or irreversibly corrupt stored blob data.
- Example: A bug allowing an attacker to trigger an unintended deletion across multiple nodes
- Economic Abuse – Zero/Near-Zero Payment: Any flaw that allows an attacker to store data while paying little to nothing for storage, bypassing fee controls or staking requirements.
- Example: Exploiting a bug in the fee calculation or smart contract logic so that users can acquire storage at zero cost
- Integrity and Availability Breaches: Issues that compromise the correctness of the availability certificate (e.g., forging commitments) or subvert the recovery mechanism, potentially allowing an attacker to prevent legitimate data recovery.
- Economic Manipulation: Vulnerabilities that allow an attacker to manipulate fee payment, commission rates, or staking rewards in a way that might lead to financial imbalance or unfair economic advantage.
- Authentication and Authorization Flaws: Bugs that could let an attacker impersonate a storage node or bypass certain access controls.
- Full DoS of the network and no recovery without hardfork
- DoS of Walrus Aggregator and/or Indexer (no brute force)
- To be determined and confirmed by the Walrus team.