This bounty is no longer available
Web3 DAO | filecoin-project Logo

FVM Milestone 1 Bug Bounty Program




almost 2 years ago



4910 USD



The Filecoin Virtual Machine is a new and exciting addition to the Filecoin protocol to support user-programmability and EVM-compatibility.

The FVM will be added to the live Filecoin network in several milestones.

Bug Bounties are now live for FVM Milestone 1 until the end of May.

As part of Milestone 1, the Filecoin network will be transitioning to exclusive use of the FVM. All client implementations will switch from current legacy VMs to the new Wasm-based reference FVM.

This will also include a new gas model. Only built-in actors in Rust (actors are smart contracts in Filecoin) will be supported for Milestone 1, with user-programmable actors on the horizon for a later Milestone 2 release in September (estimated).

Milestone 1 is scheduled for deployment to Filecoin mainnet in May 2022 as part of Filecoin network upgrade v16 Skyr.


Rewards for FVM bug bounties are the same as in the regular bug bounty program for the Filecoin project.

Reported security vulnerabilities will be eligible for a Bug Bounty based on Severity, calculated based on its Impact and Likelihood using the OWASP Risk Rating model.

| Severity | Points | |---|---| | Critical | up to 100,000 | | High | up to 50,000 | | Medium | up to 15,000 | | Low | up to 2,500 | | Note | up to 500 |

Where currently 1 point = 1 USD (payable in USD, DAI or FIL).

Higher rewards will also be paid to reported vulnerabilities that offer quality written descriptions, test code, scripts and detailed instructions, and well-documented fixes.

Evaluation of the significance of the vulnerability and specific bounty amount assigned is at the sole discretion of the Filecoin Security Team, which consists of core developers and contributors.



  • Reference implementation of the Filecoin VM (specs).
  • Written in Rust and intended to be integrated via FFI into non-Rust Filecoin clients like Lotus.

Lotus - Ref FVM integration

  • Integration of the Ref FVM into Lotus via FFI. Written in Go.
  • (The PR listed is merely an entrypoint into the codebase, but the scope is not limited to it. Please review what's on master and other pending PRs.)

Lotus - Filecoin FFI

  • The FFI glue code.
  • Written in Go and Rust.
  • (As above, the PR linked is merely an entrypoint, but the scope is not limited to them.)

Builtin Actors

  • Written in Rust, WASM-compiled built-in actors (i.e., smart contracts) used by all Filecoin clients.
  • An actors spec and test vectors are available for reference.
  • An executable spec in Go is available at spec-actors — these actors power the live network pre-FVM.
  • (Note that auditing actors normally requires Filecoin domain expertise).

Exclusions to Scope including Known Issues are listed here on Github and will be regularly updated.

Submit a Report

To report vulnerabilities, please contact to be eligible for bounties.

You can use the confidential reporting guidelines listed here.


Rules of the regular Filecoin Security Program apply, including what’s Out of Scope.

Bugs in Filecoin client implementations (Lotus, Venus, Forest, Fuhon) and the Filecoin Proofs libraries fall under the regular Filecoin Security Program scope and rewards.

Stay tuned for FVM bug bounties for Milestone 2 this Summer!