Astar Bug Bounty Program With Immunefi
Astar bug bounty program with Immunefi, Web3’s leading bug bounty platform, already protecting $100 billion in user funds. This invites blockchain developers and whitehat hackers to identify critical vulnerabilities for up to a $1 million payout.
On Astar we regain control over our data, identity, and personal funds. Today the ecosystem is protected by the robust smart contracts and community they build. The future demands continual innovation in order to maintain this level of security. This is achieved by asking the brightest minds of Web3 to not only read our code, but find flaws and break it!
With just shy of 300M USD in TVL, Astar Network has become the 2nd largest blockchain on Polkadot. Safeguarding our community’s funds is of utmost importance to us. Our partnership with Immunefi provides an additional layer of security, so that we can focus on achieving our vision of building a secure, scalable, and interoperable blockchain.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.
All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. High and Critical Blockchain bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Medium and Low Blockchain bug reports require a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.
Critical vulnerabilities involving a direct loss of user funds, double spending, or the minting of tokens are capped at 10% of the economic damage, taking primarily into consideration the funds at risk or the amount of tokens that can be minted but also branding and PR considerations, at the discretion of the team. However, there is a minimum reward of USD 50 000. Consensus manipulation or governance compromise results in the full USD 1 000 000.
A reward can only be provided if:
- The bug wasn’t reported before.
- Do not disclose the bug to other parties or publicity until it’s fixed by the Astar dev Team.
- Didn’t exploit the vulnerability or allow anyone else to profit from it.
- You report a bug without any additional conditions or threats.
- The investigation was NOT conducted with Ineligible methods or Prohibited Activities, define in document.
- You should reply to the additional questions regarding the reproduction of the reported bug (if they follow) within a reasonable time (up to 24h for Critical and up to 48hours for other levels of vulnerability)
- When duplicate bug reports occur, they reward only the first one if provide with enough information for reproduction.
- When multiple vulnerabilities are cause by one underlying issue, they will reward only the first report.
- The vulnerability found in the runtime pallet of Astar (no tests, or modules that aren’t in runtime, e.g. live, can be considered as vulnerability).
Information regarding the bug bounty program can be found here:
About Astar Network
Astar is the Smart Contract Hub for WASM + EVM on Polkadot. Since winning its Parachain auction in January 2022. In brief, They has become the top Parachain in the Polkadot ecosystem in TVL and most Ethereum assets transferred over. They are the leading smart contract hub that connects the Polkadot ecosystem to Ethereum, and all major layer 1 blockchains. Also, supports dApps using multiple virtual machines — namely WASM and EVM — and offer the best technology solutions and financial incentives via its Build2Earn and Astar Incubation Program for Web3 developers to build on top of a secure, scalable, and interoperable blockchain.