Skip to main content

Overview

Security is a top priority for the Firedancer project. This page describes the security program, including how to report vulnerabilities, the bug bounty program, and information about security audits.

Bug Bounty Program

Security-relevant bugs in Firedancer v0.1 may be eligible for rewards through our Immunefi bug bounty program.

Scope

The bug bounty program covers Firedancer v0.1, which has undergone rigorous security testing and auditing. This includes:
  • Frankendancer validator implementation
  • Core networking stack
  • Block production components
  • Consensus-critical code in scope

How to Submit

Security-relevant bugs in Firedancer v0.1 should be submitted to our Immunefi bug bounty program.
1

Review the scope

Check the Immunefi program page to ensure your finding is in scope.
2

Prepare your report

Document the vulnerability with:
  • Clear description of the issue
  • Steps to reproduce
  • Potential impact
  • Proof of concept (if applicable)
3

Submit to Immunefi

Submit your report through the Immunefi platform.
4

Await review

The Firedancer security team will review your submission and respond according to the program terms.
Under the terms and conditions of the bug bounty program, you may be eligible for a reward. Review the program details on Immunefi for specific reward amounts and eligibility criteria.

Out of Scope Code

Code outside the scope of the bug bounty program is still in development and has yet to go through more rigorous security testing and auditing.
If you find a bug outside the bug bounty program’s scope, submit it as a GitHub issue.
For out-of-scope code:
  • Full Firedancer implementation (non-Frankendancer components)
  • Experimental features
  • Code marked as in-development
These findings should be reported through the standard GitHub issue process rather than through the bug bounty program.

Reporting Vulnerabilities

In-Scope Vulnerabilities (v0.1)

For security issues in Firedancer v0.1:
  1. Submit through Immunefi: Use the official bug bounty program
  2. Do not disclose publicly: Avoid creating public GitHub issues for security vulnerabilities
  3. Provide details: Include reproduction steps, impact assessment, and any proof of concept

Out-of-Scope Vulnerabilities

For security issues in code outside the bug bounty scope:
  1. Create a GitHub issue: Submit to Firedancer issues
  2. Use appropriate labels: Tag with security-related labels if available
  3. Provide context: Explain the issue, affected code, and potential impact

What to Include

When reporting any security issue, include:
  • Description: Clear explanation of the vulnerability
  • Location: File paths and line numbers of affected code
  • Severity: Your assessment of the impact
  • Reproduction Steps: Detailed steps to reproduce the issue
  • Environment: OS, compiler version, and configuration details
  • Proof of Concept: Code, commands, or scripts demonstrating the issue
  • Suggested Fix: If you have ideas for remediation (optional)

Security Best Practices

For Contributors

All contributors should follow security best practices when writing code for Firedancer.

Fuzzing Requirements

  • Most code should be covered by fuzz tests
  • Use graceful error handling instead of aborting
  • Provide test APIs for mocking state in security-sensitive code

Test Vectors

Firedancer runs extensive test vectors in CI that test conformance with Agave down to the same error code. Test vector inputs are sourced from:
  • Vectors generated by past fuzzing campaigns
  • Hand-written/manually generated unit tests
  • Fixed mismatches, added as regression tests

Secure Coding Guidelines

1

Input validation

Always validate external inputs before processing. Never trust data from the network or user input.
2

Error handling

Use proper error handling. Avoid crashes in fuzz tests; use graceful error returns instead.
3

Memory safety

Be careful with memory management. Use Firedancer’s memory allocation APIs and avoid common pitfalls like buffer overflows.
4

Seccomp compliance

Be mindful of syscalls. Firedancer uses strict seccomp sandboxing that will crash if unexpected syscalls are triggered.
5

Complex function exits

Properly manage resource cleanup. Use do/while scopes or cleanup attributes to ensure resources are released.

Sandbox Architecture

Firedancer uses a highly restrictive sandbox architecture on Linux platforms using seccomp.
During initialization:
  • A seccomp profile is installed to each tile
  • Only allowed syscalls can be executed
  • Unexpected syscalls will crash Firedancer
When contributing:
  • Be aware of which syscalls glibc uses under the hood
  • Syscalls used can differ between glibc versions
  • Test your code with seccomp enabled
  • Document any new syscall requirements

Third Party Security Audits

The Firedancer project engages third-party security firms to conduct independent security audits.

Published Audits

As third-party audits are completed and issues are sufficiently addressed, we make those audit reports public.
View published audit reports: Firedancer v0.1 Audit Reports

Audit Process

The security audit process includes:
  1. Engagement: Third-party firms are engaged to audit specific components
  2. Review: Auditors conduct comprehensive security reviews
  3. Remediation: Issues found are addressed by the Firedancer team
  4. Publication: Once remediation is complete, audit reports are published

Audit Contest

Leading up to the mainnet launch of Firedancer v0.1, an audit contest was held on Immunefi.

Contest Details

  • Platform: Immunefi Audit Contest
  • Duration: July 10, 2024 to August 21, 2024
  • Focus: Comprehensive security review before mainnet launch
The audit contest has concluded. Current security findings should be submitted through the ongoing bug bounty program.

Security Features

Sandboxing

Firedancer’s architecture allows it to run with:
  • Highly restrictive sandbox
  • Almost no system calls during operation
  • Strict seccomp profiles per tile

Independent Implementation

Firedancer is written from scratch, bringing client diversity to Solana and helping it stay resilient to supply chain attacks.
Security benefits of independent implementation:
  • No shared vulnerabilities with other clients
  • Different attack surface
  • Resilience to dependency vulnerabilities
  • Protection against supply chain attacks in build tooling

Continuous Testing

Firedancer employs extensive testing:
  • Fuzz testing coverage for most code
  • Test vectors verifying consensus compatibility
  • Continuous integration testing
  • Conformance testing against Agave

Responsible Disclosure

Our Commitment

The Firedancer team is committed to:
  • Responding promptly to security reports
  • Working with researchers to validate and fix issues
  • Providing credit to researchers who report issues responsibly
  • Maintaining transparency through public audit reports

Researcher Guidelines

Please follow responsible disclosure practices when reporting security issues.
We ask that security researchers:
  • Report vulnerabilities through proper channels (Immunefi or GitHub)
  • Allow reasonable time for fixes before public disclosure
  • Do not exploit vulnerabilities beyond proof of concept
  • Do not access or modify data without permission
  • Comply with the bug bounty program terms and conditions

Contact

For security-related questions or concerns:

Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us