Following last week's FVM (Filecoin Virtual Machine) milestone M0.5 progress update, the Filecoin team launched the FVM bug bounty program this week and invited bug hunters and community developers to help discover vulnerabilities in the FVM milestone M1 code base , to prepare for the upgrade of FVM M1, which is part of the Filecoin network to be upgraded to v16 Skyr in May.
As part of milestone M1, the Filecoin network will gradually transition to FVM-only. This represents a major change - the Filecoin network is switching from the current legacy virtual machine to the new Wasm-based FVM for all client implementations.
Additionally, the next update includes a new gas model that takes Wasm execution costs into account. In the current plan, M1 only supports built-in actors in Rust. It is expected that in the milestone M2 released in September, it will support truly user-programmable actors.
Since this is a brand new codebase, one of the main areas of focus for the team right now is to invite more external developers to audit the M1 codebase to find potential bugs in the implementation. In addition, it is also hoped that the Filecoin community will have more opportunities to explore the FVM reference implementation and the updated Builtin actor v8, providing feedback to the team on individual methods.
In addition to incentivizing bug hunters through the program, members of the Filecoin contributor team have conducted an initial internal audit, and external security expert audits have also been officially launched. At the same time some enhancement work is also in progress. According to the plan, FVM will be divided into several milestones and gradually added to the Filecoin mainnet.
What is the scope of the FVM M1 bug bounty ?
1. Reference implementation of FVM (ref-fvm)
(https://github.com/filecoin-project/ref-fvm)
A reference implementation of the Filecoin VM.
Written in Rust, designed to integrate into non-Rust clients via FFI, or directly into Rust clients.
2. Lotus: Reference implementation of FVM integration
(https://github.com/filecoin-project/lotus/pull/8293)
Integrate Ref FVM into Lotus via FFI.
Written in Go.
*The PRs (pull requests) listed are just entry points to the codebase, but are not limited in scope. Please check out what's on master and other open PRs.
3. Lotus:Filecoin FFI
(https://github.com/filecoin-project/filecoin-ffi/pull/217)
FFI glue code (Glue Code).
Written in Go and Rust.
* Same as above, the PR in the link is just an entry, but the scope is not limited to this.
4. Built-in actors
All Filecoin clients use Rust to write Wasm-compiled built-in actors.
Acto specification (https://spec.filecoin.io/systems/filecoin_vm/actor/) and test vectors (https://github.com/filecoin-project/specs-actors/tree/master/test-vectors) are available actor reference.
Executable specifications written in Go are available at filecoin-project/specs-actors, which power the Filecoin network pre-FVM.
*Note that audit participants generally require expertise in the Filecoin domain.
Awards and Out of Scope
The FVM team hopes to get as much outside help as possible from the community to review the code before releasing M1, and through these, fixes in certain known areas have now been discovered. At the same time, the team has listed a list of exclusions on Github (https://github.com/filecoin-project/ref-fvm/issues/428), including the previously listed known issues, which will be updated regularly. Only those regions checked from this list will be eligible for the bounty.
Reported security vulnerabilities will be eligible for severity-based bug bounties, utilized based on their impact and likelihood. Calculated by the OWASP Risk Rating Model, the following are guidelines on how to assign points to reported issues based on severity:
Key: up to 100,000 points
High: Up to 50,000 points
Medium: maximum of 15,000 points
Low: Up to 2,500 points
Note: Up to 500 points, currently 1 point = 1 USD (paid in USD, DAI or FIL).
There will also be higher rewards for reported bugs that provide high-quality written descriptions, test code, scripts, and detailed instructions, as well as documented fixes.
The Filecoin Security Team, consisting of core developers and contributors, evaluates the criticality of vulnerabilities and assigns specific bounty amounts at its sole discretion.
Of course, the rewards for reporting FVM M1 bugs are the same as the regular bug bounty rewards in the Filecoin security program. The rules of the regular Filecoin security plan also use this bounty rule, including out of bounds.
Bugs in Filecoin client implementations (Lotus, Venus, Forest, Fuhon) and the Filecoin Proofs library fall within the normal Filecoin security program scope and rewards. Previous Filecoin audits can be found in the audit section of Filecoin Specs (https://spec.filecoin.io/appendix/audit_reports/).
test tools
Based on the Filecoin test vector that supports cross-node interoperability testing, the FVM test vector is specific to FVM and tests it as a whole. A dedicated community development team is also developing an integration testing framework to test the correctness of FVM. Various components of FVM will also be fuzzed.
report bugs
To report a vulnerability, please contact [email protected] for a bounty. You can use the confidentiality reporting guidelines outlined here (https://security.filecoin.io/#vulnerability-reporting). The FVM Bug Bounty Program can also be posted on Gitcoin and shared on ImmuneFi.
*Please do not submit public questions or discuss bugs in public places such as Slack, Twitter, or you will not be eligible for rewards.
looking to the future
By the end of May, the team hopes that the existing developer community and new external developers will be able to help discover various potential vulnerabilities in FVM M1, and the subsequent milestone, FVM M2, will add user programmability and EVM compatibility in advance.
This will be one of the most anticipated additions to the Filecoin protocol. By customizing actors, developers will be able to exploit Filecoin for a truly wide range of potential use cases, from programmable storage to DeFi, DAO, subscriptions, insurance, and more to expand the possibilities. You can go to the FVM website (https://fvm.filecoin.io/) to learn more.
In preparation for the M2 release, the FVM team may launch more security audits and another round of bug bounties for the upcoming M2 codebase in July. At the same time, different types of developers are also invited to provide early builders with the use of early FVM through the FVM Foundry Program, including developer workflows, tools, and early dapps.
Don't forget to stay tuned for this summer's FVM bug bounty!