6296 Donnelly Plaza
Metaplex Foundation is launching the Metaplex Bug Bounty Program to reward developers that find and report security vulnerabilities, with rewards ranging from $200 to $200,000.
Metaplex is a NFT ecosystem on Solana made up of two core components: an on-chain program, and a self-hosted front-end web3 application to build your own NFT marketplace.
Metaplex also defines the Token Metadata Standard used by Solana based NFTs and provides a suite of tools for creating and minting an NFT collection. Metaplex recently crossed the 9,000,000 NFTs minted mark.
Being in front of security vulnerabilities is one of our highest priorities at the Metaplex Foundation. After recent vulnerabilities were discovered by teams we collaborate closely with, we committed to honoring and compensating developers who choose to build a stronger ecosystem together, rather than tear down the work of our community.
In January the Bonfida team found a critical vulnerability in the Metaplex auction smart contract used by many NFT marketplaces.
This exploit put the funds within the auction program at risk of being stolen by allowing one user to steal the bid from another user.
An attacker could supply an account which was already in use for an auction causing funds for both bids to be merged into the same token account. Then calling cancel_bid would empty the entire token account into the attacker’s account, enabling one user to steal the bid from another user.
Fortunately, the exploit was fixed before funds were stolen.
That is exactly the goal of the Metaplex bug bounty program, to find and fix vulnerabilities before any damage is done.
Bug bounty programs leverage the white-hat hacker community by providing financial incentives for successfully finding a vulnerability before bad actors do. When bounty hunters report valid bugs, companies pay them.
Why should you participate in a bug bounty program?
Fun, Fame, and Fortune!
In some cases, hackers earn full-time incomes by finding and reporting bugs via a bug bounty program. It’s a great way to show real-world experience when you’re trying to get hired. It can also be fun to test out your skills (legally and ethically of course).
Bug bounties are nothing new in Web3 or Solana.
After a critical exploit on the Wormhole token bridge resulting in $321 million in funds being stolen, Wormhole launched a $10 million bug bounty program.
Solend, Tulip and Larix teamed up to reward Neodyme $1 million after finding a vulnerability in the SPL token-lending library that Solend and others use.
The Metaplex Foundation Bug Bounty program is a tiered system based on severity.
Tiers are based on the importance of a program to the Metaplex community ecosystem. The more vital the program is, the higher the security tier. For example, the Token Metadata Program is a higher tier.
The level of stability and audits also factor into the tiers. The more stable a program is, and if it’s been audited by a third party, the more likely it will be in a higher security tier.
Rewards are also based on the ranking of severity of a reported vulnerability.
Critical bugs present an immediate risk to users by putting funds at risk or allowing arbitrary code execution.
High risks are when an attacker finds a way to read or modify sensitive data or behaviors that they should have access to, such as finding a way to modify token metadata or the candy machine configuration.
Medium attacks are when limited amounts of data or behaviors are at risk. An example would be finding a way around the Candy Machine captcha.
Low priority bugs violate how something is intended to work, but don’t allow dangerous behavior by an attacker. An example would be finding a way around the Candy Machine captcha.
Vulnerabilities should be responsibly disclosed according the the Metaplex Bug Bounty guidelines. This means reporting your in-scope vulnerability with written instructions for reproducing the issue and not disclosing anything about the vulnerability you found until a fix has been confirmed by the Metaplex team.
Once the Metaplex team has confirmed the vulnerability, you will become eligible to receive a reward in most cases. All reward amounts are determined by the Severity Guidelines and Project/Program tiers.
Questions or Submissions? Email email@example.com