Bug Bounty Program
Tornado Cash Official’s bug bounty program encourages security researchers to identify and report vulnerabilities in our smart contracts, front-end, or other components. Eligible reports are rewarded with TORN tokens.
Program Scope
The bug bounty covers:
- Smart Contracts: Bugs in pool contracts, zk-SNARK verification, or governance contracts.
- Front-End: Vulnerabilities in the Tornado Cash Official interface.
- Relayers: Issues with relayer infrastructure.
- APIs: Security flaws in the API.
Eligibility
Valid reports include:
- Critical bugs like fund loss, unauthorized access, or denial-of-service.
- Privacy leaks compromising user anonymity.
- Exploits in anonymity mining or staking.
Out-of-scope issues include:
- Social engineering or phishing attacks.
- Previously reported bugs.
- Issues requiring unrealistic assumptions (e.g., compromised private keys).
Reward Structure
Rewards are based on severity:
- Critical: Up to 10,000 TORN (e.g., fund theft).
- High: Up to 5,000 TORN (e.g., privacy leaks).
- Medium: Up to 1,000 TORN (e.g., non-critical bugs).
- Low: Up to 100 TORN (e.g., minor issues).
Note: Rewards are approved via governance proposals and paid in TORN.
How to Submit
To report a vulnerability:
- Submit details via GitHub issues or the bug bounty portal (check Telegram for updates).
- Include a clear description, reproduction steps, and impact assessment.
- Do not disclose the issue publicly until resolved.
- Await review from the Tornado Cash Official team.
Responsible Disclosure
We follow responsible disclosure:
- Reports are reviewed within 7 days.
- Fixes are deployed promptly, with credit to reporters (optional).
- Public disclosure occurs only after resolution.
Further Reading
Explore related topics:
- Smart Contracts for technical details.
- Contributing for other ways to help.
- FAQ for common questions.