The Diamante Network has launched on the mainnet, and we need your help to ensure the security of the protocol! The Diamante Bounty Program is launching to identify bugs and critical vulnerabilities in network infrastructure and smart contracts.
Up to 0.5% of the total DIAM Coin supply is allocated to reward successful bounty hunters. Please review the program terms and scope below.
Bounty Program Scope
The Diamante Bug Bounty Program is seeking researchers and developers to find and report any other vulnerabilities in the protocol infrastructure, including:
- Network smart contracts
- DIAM node and validating CLI
- Validator selection
- Query cost model/market logic
- State channel/ledger channels
- You can find all protocol components in the Diamante Code Repo
You can find all protocol components in the graphprotocol repo here.
Three types of bounties that vary in bug severity and bounty size. D0 bounties are the most critical and will be valued the highest.
Vulnerabilities that could cause Validator, Archiever, Watcher, or end-user funds to be exploited, stolen, or locked up.
- A bug in a smart contract, state channels, gateway, or the default Validator software that could result in the loss of funds
- A bug that could cause incorrect payouts of query fees or indexing rewards
- An economic attack that could result in Validator, Archiever, Watcher losing a significant amount of funds or being exploited
- A bug that could cause network participants to impersonate and take unwanted actions (e.g. funds transferred)
Vulnerabilities that could cause private user information (i.e. keys, Private Key Information) stolen.
- A bug in a smart contract, state channels, or the default Indexer software could result in private information stolen
- A bug that allows remote code execution resulting in personal information stolen
Vulnerabilities in the Validator software (e.g. DIAM Node, Validator CLI) that could result in the malfunction or not running effectively.
- A bug that could cause a malfunction
- A bug that could make it difficult or impossible to run a validator effectively
- A bug that could halt or delay a validator ’s ability to process a query or receive payments
Vulnerabilities that could cause the protocol or query market to “halt” or impact the liveness of the protocol.
- A bug in a smart contract, state channels or the default validator software could result in "halt" or an impact to liveness
- A bug could result in a DOS attack, or where the severe load is exerted onto the network by an attacker
- A bug whereby an attacker does not pay sufficient DIAM fees for the load they exert on the network
Determinism bugs that could lead to incorrect or inconsistent query results by validators in the network.
- A vulnerability that could cause two or more validators to provide different results for the same query when the approved code is ran
- A vulnerability that could cause inaccurate query data served
Vulnerabilities that could degrade the validation or querying service.
- A bug that could cause the service functionality, throughput, or utility degraded but not disabled
- A griefing attack on the services provided or network participants
Impersonation or Sybil attack vulnerabilities
- A bug that could encourage or incentivize Sybil attacking or impersonating users
Not in scope
There are several known potential exploits on The Diamante infrastructure. Bounty hunters will not be rewarded for reporting these:
- Bugs already identified in external third-party audits
- Non-traditional state channel boundary conditions
Related to state channels, there are many parameters/boundary conditions recommended for proper state channel operations. Any vulnerabilities reported that don’t assume these boundary conditions on parameters will not be considered valid unless also proven that the network is violating these parameters somewhere.
A bug disclosure about state channels will only be valid if it is proven that state channels are not secure under the above assumptions, or they can reasonably trigger a violation of one of the above assumptions (i.e., by causing a “mass exit”).
Responsible Disclosure and Reporting Rules
Bugs should be reported by submitting the Bounty Reporting Form or email firstname.lastname@example.org directly for critical vulnerabilities.
All bounty hunters must abide by rules when reporting bugs to be eligible for rewards. We appreciate your cooperation.
Report vulnerabilities to Diamante first by completing the Bounty Reporting Form to mitigate attacks and in the best interest of the network’s safety. Give reasonable time for Diamante to fix the bug before sharing publicly.
Document Attacks & Data
Log components, reproduction, and data about vulnerabilities to share with the Diamante team to support learnings and bug fixes. Please provide relevant screenshots, docs, code, and steps to reproduce the issue.
Don’t Exploit Reported Bugs
Do not exploit bugs in the code to gain an advantage or conduct malicious activity in the network. No hacking or social engineering of other network users.
Don’t Violate Privacy
Do not violate the privacy of network users, other bounty hunters, or Diamante.
Don’t Attack or Defraud Diamante
Do not attack the Diamante team, operations, or technology (e.g. DDOS attack, spam, social engineering) or defraud the Diamante team or network users.
Please also note reporting requirements:
- Bugs will only be rewarded once for successful reporting and confirmation of fix to the first person to report the bug.
- Vulnerabilities must be reproducible by the Diamante team (please include all relevant links, docs, and code).
- Single vulnerabilities can be submitted per form; multiple submissions for the same vulnerability will not be counted.
- Bounty hunters can submit multiple bug reports.
- Public disclosure of the vulnerability before a resolution may cancel a pending reward. We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.
- Diamante and affiliates will not negotiate in response to duress or threats (e.g., we will not negotiate the payout amount under threat of withholding the vulnerability or threat of releasing the vulnerability or any exposed data to the public).
These rules are illustrative and other rules may be added by Diamante in its sole discretion and without notice. Participants will be disqualified if they do not follow rules or conduct themselves in bad faith as determined by Diamante in its sole discretion.
Up to 0.5% of the DIAM supply is being allocated to The Diamante Bounty Program to reward successful bounty hunters.
Overall, reporting of any bug that impacts the security of the Diamante will be rewarded. Rewards will range between USD 100 - USD 50,000 worth of DIAM, at the public DIAM Sale price. Rewards will depend on bug severity and complexity, as determined in The Diamante’s sole discretion, the thoroughness of the reporting, and cooperation.
- D0 Bounties - Up to $50,000
- D1 Bounties - Up to $20,000
- D2 Bounties - Up to $5,000
If you or your company were employed for a security audit on Diamante within the last six months, rewards may be decreased accordingly. The Diamante Bounty Program rewards will be distributed at Diamante’s discretion.