Bug Bounty Program

Diamante Bug - Bounty Program

Enroll, Report & Get Rewarded

Bug Bounty

The Diamante Network has launched on the mainnet, and we need your help to ensure the security of the protocol! The Diamante Bounty Program is launching to identify bugs and critical vulnerabilities in network infrastructure and smart contracts.

Up to 0.5% of the total DIAM Coin supply is allocated to reward successful bounty hunters. Please review the program terms and scope below.

Report a Bug

Bounty Program Scope

The Diamante Bug Bounty Program is seeking researchers and developers to find and report any other vulnerabilities in the protocol infrastructure, including:
  • Network smart contracts
  • DIAM node and validating CLI
  • Validator selection
  • Query cost model/market logic
  • State channel/ledger channels
  • You can find all protocol components in the Diamante Code Repo

You can find all protocol components in the graphprotocol repo here.

Bounty Types

Three types of bounties that vary in bug severity and bounty size. D0 bounties are the most critical and will be valued the highest.
D0 Bounties

Vulnerabilities that could cause Validator, Archiever, Watcher, or end-user funds to be exploited, stolen, or locked up.

  • A bug in a smart contract, state channels, gateway, or the default Validator software that could result in the loss of funds
  • A bug that could cause incorrect payouts of query fees or indexing rewards
  • An economic attack that could result in Validator, Archiever, Watcher losing a significant amount of funds or being exploited
  • A bug that could cause network participants to impersonate and take unwanted actions (e.g. funds transferred)

Vulnerabilities that could cause private user information (i.e. keys, Private Key Information) stolen.

  • A bug in a smart contract, state channels, or the default Indexer software could result in private information stolen
  • A bug that allows remote code execution resulting in personal information stolen
D1 Bounties

Vulnerabilities in the Validator software (e.g. DIAM Node, Validator CLI) that could result in the malfunction or not running effectively.

  • A bug that could cause a malfunction
  • A bug that could make it difficult or impossible to run a validator effectively
  • A bug that could halt or delay a validator ’s ability to process a query or receive payments

Vulnerabilities that could cause the protocol or query market to “halt” or impact the liveness of the protocol.

  • A bug in a smart contract, state channels or the default validator software could result in "halt" or an impact to liveness
  • A bug could result in a DOS attack, or where the severe load is exerted onto the network by an attacker
  • A bug whereby an attacker does not pay sufficient DIAM fees for the load they exert on the network

Determinism bugs that could lead to incorrect or inconsistent query results by validators in the network.

  • A vulnerability that could cause two or more validators to provide different results for the same query when the approved code is ran
  • A vulnerability that could cause inaccurate query data served
D2 Bounties

Vulnerabilities that could degrade the validation or querying service.

  • A bug that could cause the service functionality, throughput, or utility degraded but not disabled
  • A griefing attack on the services provided or network participants

Impersonation or Sybil attack vulnerabilities

  • A bug that could encourage or incentivize Sybil attacking or impersonating users

Not in scope

There are several known potential exploits on The Diamante infrastructure. Bounty hunters will not be rewarded for reporting these:
  • Frontrunning
  • Bugs already identified in external third-party audits
  • Non-traditional state channel boundary conditions

Related to state channels, there are many parameters/boundary conditions recommended for proper state channel operations. Any vulnerabilities reported that don’t assume these boundary conditions on parameters will not be considered valid unless also proven that the network is violating these parameters somewhere.

A bug disclosure about state channels will only be valid if it is proven that state channels are not secure under the above assumptions, or they can reasonably trigger a violation of one of the above assumptions (i.e., by causing a “mass exit”).

Responsible Disclosure and Reporting Rules

Bugs should be reported by submitting the Bounty Reporting Form or email info@diamcircle.io directly for critical vulnerabilities.
All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.
  • Report Responsibly

    Report vulnerabilities to Diamante first by completing the Bounty Reporting Form to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for Diamante to fix the bug before sharing publicly.

  • Document Attacks & Data

    Log components, reproduction, and data about vulnerabilities to share with the Diamante team to support learnings and bug fixes. Please provide relevant screenshots, docs, code, and steps to reproduce the issue.

  • Don’t Exploit Reported Bugs

    Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.

  • Don’t Violate Privacy

    Do not violate the privacy of network users, other bounty hunters, or Diamante.

  • Don’t Attack or Defraud Diamante

    Do not attack the Diamante team, operations, or technology (e.g. DDOS attack, spam, social engineering) or defraud the Diamante team or network users.

Please also note reporting requirements:
  • Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.
  • Vulnerabilities must be reproducible by the Diamante team (please include all relevant links, docs, and code).
  • Single vulnerabilities can be submitted per form; multiple submissions for the same vulnerability will not be counted.
  • Bounty hunters can submit multiple bug reports.
  • Public disclosure of the vulnerability before a resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
  • Diamante and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
These rules are illustrative and other rules may be added by Diamante in its sole discretion and without notice. Participants will be disqualified if they do not follow rules or conduct themselves in bad faith as determined by Diamante in its sole discretion.

Rewards

Up to 0.5% of the DIAM supply is being allocated to The Diamante Bounty Program to reward successful bounty hunters.
Overall, reporting of any bug that impacts the security of the Diamante will be rewarded. Rewards will range between USD 100 - USD 50,000 worth of DIAM, at the public DIAM Sale price. Rewards will depend on bug severity and complexity, as determined in The Diamante’s sole discretion, the thoroughness of the reporting, and cooperation.
  • D0 Bounties - Up to $50,000
  • D1 Bounties - Up to $20,000
  • D2 Bounties - Up to $5,000

If you or your company were employed for a security audit on Diamante within the last six months, rewards may be decreased accordingly. The Diamante Bounty Program rewards will be distributed at Diamante’s discretion.

Eligibility

All bounty hunters must successfully KYC at https://sale.diamcircle.io/ to be eligible for rewards. Diamante has the right to disqualify any contributor at any time if their behavior is deemed harmful or malicious to Diamante Network or its users or doesn’t follow the Bug Bounty Program rules and policies. For other eligibility questions, please contact info@diamcircle.io

Safe Harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, acceptable faith violations of this Bug Bounty Program. We consider activities consistent with this policy to constitute “authorized” conduct under the Computer Fraud and Abuse Act (CFAA). To the extent your activities are inconsistent with certain restrictions in our Terms of Use, we waive those restrictions for the limited purpose of permitting security research under this policy. We will not bring a Digital Millennium Copyright Act (DMCA) claim against you for circumventing the technological measures we have used to protect the applications in scope. If legal action is initiated by a third party against you and you have complied with the Diamante Bug Bounty Program, Diamante will take steps to make it known that your activities were conducted in compliance with this Program. If at any time you have concerns or are uncertain whether your security research may be inconsistent with or unaddressed by this Program, please inquire via https://diamcircle.io/contact-us/ before going any further.

Final Notes

You are responsible for paying any taxes associated with rewards. We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively. Reports from individuals who we are prohibited by law from paying are ineligible for rewards. Employees of Diamante and their family members are not eligible for bounties.
WhitepaperX