The Chainlink Network is known for its unparalleled security and reliability in the smart contract economy. This reputation results from a security-first approach to designing, implementing, and maintaining Chainlink services, combined with extensive auditing and collaboration with smart contract security experts to protect the Chainlink Network against malicious threats.

To mitigate the potential extent of vulnerabilities, Chainlink Labs has worked with top smart contract auditing firms and independent researchers to harden the Chainlink protocol against potential attack vectors.

In this post, we’ll highlight the importance of smart contract vulnerability research for a secure and sustainable Web3 economy and illustrate how Chainlink Labs supports independent security researchers who help strengthen the Chainlink Network against security threats.

The Importance of Security Research

Chainlink Price Feeds first went live in 2019 to serve the growing demand from smart contract applications that require access to secure and accurate market data on blockchain networks. Over time, the Chainlink Network has grown from high-quality price feeds supporting the inception of the DeFi movement to a comprehensive Web3 services platform that provides developers with the tools they need to build sophisticated smart contract applications without having to compromise on security and reliability.

This has propelled Chainlink to become the industry standard across many verticals, including DeFi, onchain finance, NFTs, gaming, and more. Simultaneously, this rapid expansion has also broadened the possible range of security attack vectors and increased the volume of code requiring ongoing auditing. These continuous processes help ensure that Chainlink services maintain strong security and reliability guarantees under all network and market conditions.

The security-first design architecture and the defense-in-depth security model underpinning Chainlink services involve engaging with leading smart contract auditing firms and independent vulnerability researchers to identify security vulnerabilities before they can impact live systems, helping to protect the smart contract economy against malicious attackers. The dedicated work of independent researchers helps the Chainlink Network maintain its unparalleled security and reliability guarantees that set it apart in the Web3 industry.

The Chainlink Cross-Chain Interoperability Protocol (CCIP) sets a new standard in cross-chain communication by using five levels of cross-chain security, with multiple layers of decentralization and advanced risk management. This unprecedented level of security is achieved through a defense-in-depth approach and several additional layers of protection via the Risk Management Network and transfer rate limits. 

In addition to multiple independent audits conducted in preparation for the initial mainnet launch, two crowdsourced audits of CCIP were conducted on the Code4rena (C4) platform, with $340K+ awarded to independent security researchers who helped further harden the CCIP codebase.   

Chainlink Bug Bounty Programs

Participating in audit programs and incentivizing top security professionals are among the strategies used to enhance the security and reliability of Chainlink services, and to uphold Chainlink’s strong reputation for these qualities.

The Chainlink bug bounty program on HackerOne, which acts as a repository for vulnerability submissions, helps Chainlink Labs engage with developers and security engineers who examine Chainlink code and harden it against potential attack vectors. The areas in scope for this bug bounty program include Chainlink node software, Chainlink Solidity smart contracts, LINK testnet faucets, explorers, Data Feeds UI, and more.

Since 2021, Chainlink Labs has also been conducting a bug bounty program through the Immunefi platform. Rewards are distributed according to the impact of the vulnerability based on Immunefi’s vulnerability severity classification system, with a maximum bounty of $3M for critical severity bugs. Smart contract bug reports require a proof of concept and a suggestion for a fix to be eligible for a reward. Website and application bug reports must come with a proof of concept with an end-effect impacting an asset-in-scope in order to be considered for a reward.

Since the inception of the bug bounty programs on HackerOne and Immunefi, over $500K in total has been paid across 75+ resolved reports to more than 50 independent researchers.

In addition, Chainlink Labs has participated in five crowdsourced audits on Code4rena, with participation by over 500 researchers and a total combined prize pool of $700K+. Contests have covered Chainlink Staking v0.1, Chainlink Staking v0.2, Cross-Chain Interoperability Protocol (CCIP) and Risk Management Network, and CCIP administration contracts. Chainlink ranks in the Top 5 of total combined prize pools for all projects on C4.

These crowdsourced audits supplement the multiple independent security audits that Chainlink services undergo to strengthen their codebase.

Case Study: Immunefi Bug Bounty Report

Independent researchers can help identify potential security vulnerabilities within Chainlink services. Upon discovery, they can submit a report, the findings of which are subsequently verified by the Chainlink Labs team. The severity of the vulnerability is then assessed, and if necessary, a mitigation strategy is implemented. 

Here’s a recent example of Chainlink Labs working with smart contract security experts to collectively harden the Chainlink platform.

In late 2022, two independent security researchers participating on the Immunefi platform, Zach Obront and Or Cyngiser (aka Trust), submitted a report on Chainlink VRF v2, which was subsequently validated by the Chainlink Labs team and categorized by the Immunefi program as a critical-impact smart contract vulnerability.

Trust is the head of Trust Security and a consistent presence on the C4 and Immunefi leaderboards. Zach is the Lead Security Researcher at Spearbit and Senior Watson at Sherlock.

In the scenario outlined in their finding, a malicious VRF subscription owner could have blocked and rerolled randomness until they received a desired value, effectively preventing their users from getting a neutral randomness roll. 

The Chainlink Labs team investigated the issue and determined that while it could compromise Chainlink VRF’s intended use of providing transparently verifiable tamper-resistant onchain randomness, the exploitable scenario required a number of specific conditions to be met and would be detectable onchain. Most notably, the subscription owner—a role typically controlled by the team behind the dApp using VRF—must be malicious or compromised. After consultation with the researchers, a mitigation was subsequently implemented that ensures randomness delivery if a malicious VRF subscription owner attempts to exploit the reported issue. 

For reporting this finding, the researchers received a bounty of $300,000, which ranks in the top 10 of Immunefi bounties. 

Chainlink Labs supports the responsible participation of the Web3 community in the vulnerability research field and looks forward to continued active participation in bug bounty programs and audit contests.

Conclusion

Smart contract vulnerability research is critical for maintaining the integrity of Chainlink services and the broader smart contract economy, and Chainlink Labs is committed to supporting the white hat smart contract vulnerability research community. 

If you believe you have discovered a security or privacy vulnerability in any Chainlink systems or products, please report it through the official bug bounty programs on HackerOne or Immunefi.

We only accept vulnerabilities and bugs submitted through these channels to ensure proper tracking, triaging, and bounty reward purposes and therefore do not accept direct reports.

However, if you need to contact the Security team for any other reason, please use the email address [email protected] and the PGP key that can be found at chain.link/security.