| Risk Score | Payout |
|---|---|
| Critical | $10,000 - $150,000 |
| High | $5,000 - $10,000 |
| Medium | $1,000 - $5,000 |
| Low | $250 - $1,000 |
SP1 is a zero-knowledge virtual machine (zkVM) which allows developers to prove an execution of arbitrary Rust (or other LLVM-compiled language) programs. This means
- A developer can write a normal Rust code, which is then compiled to an ELF.
- Given the ELF, SP1 sets up a proving key and a verifying key.
- SP1 zkVM generates a proof on the execution of the Rust code using the proving key.
- The verifying key can be used to verify the generated proof.
SP1's CLI tool will compile the Rust program into a RISC-V and generate an ELF. SP1 zkVM is composed of the various ZKP circuits, which prove the behavior of various opcodes of RISC-V. This creates a proof of execution based on STARK. SP1 then utilizes recursive STARKs as well as a STARK to SNARK wrapper to generate a small SNARK proof that can be verified on-chain. This recursion also allows SP1 to break an execution into smaller shards, which makes it possible to prove arbitrarily long program execution.
- SP1 Docs: Our system documentation, subject to change: Link
- SP1 Memory Argument Docs: Link
- SP1 Security Docs: Our security model - Link
- SP1 Security Advisories: Link
- SP1 Audit Reports: Link
- Succinct Website: Link
- Twitter: @SuccinctLabs
- Other Links: Link
We mainly expect two types of vulnerabilities.
Soundness Bugs: Issues where invalid execution can be proved to be correct.
The severity will be based on how high the impact of the invalid execution can be.
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood: High | Critical | High |
| Likelihood: Medium | High | Medium |
Completeness Bugs: Issues where valid execution cannot be proved to be correct.
The impact is judged on the impact of the program where the completeness bug occur. The likelihood is judged based on the scenario where the completeness bug occur.
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood: High | Medium | Low |
| Likelihood: Medium | Low | Low |
For other class of vulnerabilities, the following criteria will be used.
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood: High | Critical | Medium | Low |
| Likelihood: Medium | High | Medium | Low |
| Likelihood: Low | Medium | Low | N/A |
All reports must be valid on SP1's latest release commit, which can be found here.
Source: SP1
| Name | Folder |
|---|---|
| sp1-core-executor | github.com/succinctlabs/sp1/tree/dev/crates/core/executor |
| sp1-core-machine | github.com/succinctlabs/sp1/tree/dev/crates/core/machine |
| sp1-recursion | github.com/succinctlabs/sp1/tree/dev/crates/recursion |
| sp1-stark | github.com/succinctlabs/sp1/tree/dev/crates/stark |
| sp1-zkvm | github.com/succinctlabs/sp1/tree/dev/crates/zkvm/entrypoint |
| sp1-lib | github.com/succinctlabs/sp1/tree/dev/crates/zkvm/lib |
Bug reports covering previously-discovered bugs are not eligible for a reward within this program. This includes known "issues" that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
See our security related documentation for more details.
Bug reports must be valid within SP1's security model and program safety requirements. In summary, security issues that arise from user program itself rather than from SP1 are out of scope. All proof of concepts of issues must be done on user programs that are safe, which are then compiled with the correct toolchain. More details are in the our documentation linked above. We note that the documentation may be subject to change.
Any previously reported vulnerabilities mentioned in past audit reports are not eligible for a reward. Also, any vulnerabilities mentioned in the security advisories are not eligible.
Previous audits can be found in this link, and security advisories are in this link.
An example of out-of-scope issues are as follows:
- Informational findings.
- Documentation errors.
- Issues in example or demo applications.
- Issues that take an infeasible amount of computation to exploit.
- Security issues that arise from vulnerable user programs.
All valid reports must have valid proof of concept included.
Do not disclose submitted bug reports without a clear consent from Succinct.
Current and former employees and contractors of Succinct are ineligible for bounties.