Skip to content

Security: dfinance/cosmos-sdk

Security

SECURITY.md

Security

IMPORTANT: If you find a security issue, you can contact our team directly at security@tendermint.com, or report it to our bug bounty program on HackerOne. DO NOT open a public issue on the repository.

Bug Bounty

As part of our Coordinated Vulnerability Disclosure Policy, we operate a bug bounty program with Hacker One.

See the policy linked above for more details on submissions and rewards and read this blog post for the program scope.

The following is a list of examples of the kinds of bugs we're most interested in for the Cosmos SDK. See here for vulnerabilities we are interested in for Tendermint and other lower-level libraries (eg. IAVL).

Core packages

Modules

We are interested in bugs in other modules, however the above are most likely to have significant vulnerabilities, due to the complexity / nuance involved. We also recommend you to read the specification of each module before digging into the code.

How we process Tx parameters

  • Integer operations on tx parameters, especially sdk.Int / sdk.Dec
  • Gas calculation & parameter choices
  • Tx signature verification (see x/auth/ante)
  • Possible Node DoS vectors (perhaps due to gas weighting / non constant timing)

Handling private keys

  • HD key derivation, local and Ledger, and all key-management functionality
  • Side-channel attack vectors with our implementations
    • e.g. key exfiltration based on time or memory-access patterns when decrypting privkey

There aren’t any published security advisories