Aragon Network Bug Bounty

Aragon Network Bug Bounty

The Aragon Association is excited to announce the opening of a public bug bounty for the Aragon Network, with up to $50,000 per reward and a total of $250,000 available to security researchers.

After more than ten months of dedicated efforts towards design exploration and software engineering, Aragon Court, one of the core pieces of the Aragon Network, is in its final preparatory stages ahead of a launch onto Ethereum mainnet.

The Aragon One team is completing the remaining go-ahead checks of stress testing the protocol's correctness on simulated scenarios with the Rinkeby testnet deployment.

With the completion of the independent security audit led by Georgios Konstantopoulos (published here) we are happy to announce the opening of a public bug bounty for the Aragon Network, primarily focused on the upcoming release of Aragon Court.

The specific details of the bug bounty, as well as the procedure for responsibly disclosing any errors, can be found on the following pages:

The bug bounty covers all non-testing related smart contract code, as well as deployment logic, on the following repos and tags:

To reiterate the information available in the official bug bounty resources, we are explicitly aware of and cautious with the following classes of vulnerabilities or bugs:

  • Locking or freezing any of the Aragon Network contracts,
  • Manipulating the decision process of the dispute resolution protocol, or
  • Stealing tokens or manipulating the token generation process

All responsibly disclosed reports should be sent to security@aragon.org and will be graded using the CVSS3 classification system. The maximum reward for a single report is $50,000 and would include critical bugs like a broken live-ness condition or irreversible loss of funds.

If you were familiar with the ongoing bug bounty program for the smart contracts backing the Aragon client, you may recognize that most of the details, down to the amounts and classification system, are exactly the same or very similar. This new bug bounty is happening in parallel with the older one, and thus, there is now a total of $500,000 available in bounty programs that cover over 13,000 lines of smart contract code.

In addition, Autark has opened a bug bounty for the Open Enterprise suite of apps.

We invite you to participate and happy bug bashing! We can't promise you'll be able to find any issues, though 😘