Aleph Zero Blog

Updated: Multiple $50,000 Reward Tickets in Aleph Zero’s and Immunefi’s Bug Bounty Program

Aug 16, 2023

The bug bounty program created in partnership with Immunefi has been updated to further enhance the network’s security. Check the new rules and get bounties!

The bug bounty program has been designed with the help of Immunefi to reward white-hat hackers who will assist us in improving Aleph Zero’s robustness. These invaluable insights will permit us to build a more secure network and safeguard both the Aleph Zero blockchain and its user base. 

Don’t wait. Start looking for bounties!

Rewards by threat level

Rewards are distributed according to their perceived harmfulness based on the Immunefi Vulnerability Severity Classification System V2.1. This 5-level scale identifies key vulnerabilities for blockchains/DLTs, focusing on the impact of the threat. 


  • Critical: up to 50 000 USD
  • High: up to 15 000 USD
  • Medium: up to 5 000 USD
  • Low: up to 1 000 USD

All Blockchain/DLT bug reports require a PoC to be eligible for a reward. All PoCs submitted must comply with the Immunefi-wide PoC Guidelines and Rules. Bug report submissions without a PoC will not be provided with a reward.

Payouts will be handled by the Aleph Zero team directly and denominated in USD. However, payouts are done in USDT, USDC, and AZERO, with rewards for low- and medium-severity vulnerabilities paid out in AZERO while high and critical vulnerabilities paid out 50% in AZERO and 50% in USDT and USDC.

The Scope of the Program

Aleph NodeBlockchain/DLT – Aleph Node
AlephBFT CratesBlockchain/DLT – AlephBFT

The table above lists the assets that are considered as in-scope of the bug bounty program.

If a team discovers a vulnerability that is outside of the scope of the program they are encouraged to submit it to the Aleph Zero team for consideration.  

Impacts in Scope

Only the following impacts will be considered within this bug bounty initiative. All other impacts are not considered as in-scope, even if they affect the assets listed in the scope table.



  • Network not being able to confirm new transactions (Total network shutdown).
  • Unintended permanent chain split requiring hard fork (Network partition requiring hard fork).
  • Direct loss of funds.
  • Permanent finalization stall.


  • Prolonged chain splits and/or long, finalization stalls.
  • RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer.


  • High compute consumption by validator nodes.


    • Underpricing transaction fees relative to computation time.

    Out of Scope & Rules 

    The following categories are out of the scope for rewards program.

    All Categories

    • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
    • Impacts caused by attacks requiring access to leaked keys/credentials
    • Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
    • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
    • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
    • Best practice recommendations
    • Feature requests
    • Impacts on test files and configuration files unless stated otherwise in the bug bounty program

    Smart Contracts and Blockchain/DLT 

    • Incorrect data supplied by third party oracles
      • Not to exclude oracle manipulation/flash loan attacks
    • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
    • Lack of liquidity impacts
    • Impacts from Sybil attacks
    • Impacts involving centralization risks

    The following activities are prohibited by this bug bounty program:

    • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
    • Any testing with pricing oracles or third-party smart contracts
    • Attempting phishing or other social engineering attacks against our employees and/or customers
    • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
    • Any denial of service attacks that are executed against project assets
    • Automated testing of services that generates significant amounts of traffic
    • Public disclosure of an unpatched vulnerability in an embargoed bounty

    About Immunefi

    Immunefi launched on December 9, 2020, as a bug bounty platform focused on Web3 and smart contract security. We provide bug bounty hosting, consultation, bug triaging, and program management services to blockchain and smart contract projects.

    Bug bounty programs are open invitations to security researchers to discover and disclose potential vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward based on the severity of the vulnerability, as determined by the project affected.

    In the first three months of 2023 alone, hacks and scams cost the Web3 community over $400 million, and bug bounties can prevent those hacks from happening. Bug bounty programs surface vulnerabilities so they can be fixed before they get exploited in malicious hacks that destroy projects and ruin reputations.

    May the Hunt Begin!

    Now that we’ve gone over the rules it’s time to initiate the bug bounty program! We are excited by the opportunities presented by this initiative and hope to use this experience to build a more secure blockchain ecosystem.

    Don’t wait. Start looking for bounties!