Injective

Injective

@injective
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$50,000

Medium

$20,000

Low

$1,000

Deposit required

$50

Findings submitted

290

Start date

3 Jun 2026

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

Introduction

Injective is a lightning fast interoperable layer one optimized for building unmatched Web3 finance applications. Injective is incubated by Binance and is backed by prominent investors such as Jump Crypto, Pantera and Mark Cuban. The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in Injective's codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.

Documentation: docs.injective.network

Severity Definitions

The severity classifications below apply specifically to the Blockchain scope.

Critical Tier

Reserved for vulnerabilities that compromise the fundamental correctness or integrity of the blockchain. These are existential protocol-level failures, comparable to a cryptographic break or consensus failure, and would require coordinated chain recovery (e.g., halt, rollback, or hard fork).

Qualifying vulnerabilities must:

  • Compromise core protocol correctness or consensus integrity
  • Affect the network beyond a bounded subsystem, module, or application surface
  • Require coordinated chain recovery (e.g., halt, rollback, or fork)
  • Be realistically exploitable with a clear and reproducible attack path

Examples include:

  • Forgery or compromise of private keys, signatures, or transaction authorization accepted by the chain
  • Unauthorized transaction execution through ante, auth, or signature validation bypass, including account or validator impersonation
  • Honest nodes accepting or finalizing invalid blocks, state transitions, commits, or proofs
  • Violations of CometBFT consensus safety guarantees with less than one-third Byzantine voting power, including a single validator if applicable, causing invalid or malicious state commitment

High Tier

  • Vulnerabilities that may lead to substantial loss of user funds, unauthorized asset movement, or severe protocol misuse within a bounded scope
  • Significant disruption of production services or protocol functionality
  • Widespread compromise of a specific application, module, or subsystem
  • Vulnerabilities that materially harm user trust or protocol integrity, but do not compromise consensus or global chain correctness
  • Temporary or recoverable chain liveness failures, including block production stalls, apphash mismatches, or consensus interruptions that can be resolved without rewriting or invalidating finalized chain history

Medium Tier

  • Vulnerabilities resulting in limited financial impact or moderate disruption of protocol functionality
  • Exploits with constrained scope, limited blast radius, or partial mitigation available
  • Security weaknesses requiring specific conditions or elevated complexity to exploit

Low Tier

  • Findings with minimal direct security impact
  • Security misconfigurations, weak hardening, or best-practice recommendations
  • Low-risk vulnerabilities with limited exploitability or operational impact

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Service Level Agreement (SLA)

SeverityAcknowledgementResolution TargetPayment Due
Critical48 Hours30 days from escalation15 days from invoice
High96 Hours30 days from escalation15 days from invoice
Medium96 Hours60 days from escalation15 days from invoice
Low96 Hours60 days from escalation15 days from invoice

Prohibited Actions

  • No Unauthorized Testing on Production Environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
  • No Public Disclosure Without Consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
  • No Exploitation or Data Exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
  • No Conflict of Interest: Individuals currently or formerly employed by Injective, or those who contributed to the development of the affected code, are ineligible to participate.

Eligibility

To be eligible for a reward, you must:

  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Disclosure Requirements

Reports must include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible — ideally within 24 hours of discovery.

Other Terms

By submitting a report, you grant Injective the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Injective. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.