Augur v2 Bug Bounty Program

2 years ago

2 min read

UPDATED: The Augur Bug bounty program has been appended to include bounties for finding vulnerabilities in the market creation templates. The scope of these bounties is as follows:

The Augur market creation templates are designed to give market creators a rigid rubric for creating popular types of markets in popular categories, such that they mitigate the chance of a market resolving as ‘invalid’. Bounties will be paid for finding errors or oversights in the template construction that allow for errors or exploitations which can cause the market to be ‘invalid’. Bounties will be paid in the amount of $100 (in REP) per vulnerability surfaced.

Example: Market Creator can enter multiple names in a market that specifies:
"Will [Single Person's Name] host the [Year] [Event]?"

Findings must be submitted via the Augur HackerOne Bug Bounty program. See the HackerOne page for additional details and restrictions.

The Forecast Foundation is excited to announce the launch of the public Augur v2 bug bounty program. Security is the number one priority in the Augur contracts, and now we're seeking help from the community in finding bugs and vulnerabilities prior to deployment.

Critical: $30,000 USD
High: $5,000 USD
Medium: $2,500 USD
Low: $1,000 USD

Both the Augur core Solidity contracts and Augur SDK are now within scope of the Augur bug bounty program. The most critical and high-level class of bugs and vulnerabilities we're interested in are:

Loss of Funds:

A loss of funds bug includes any vulnerability where a user can siphon assets from other users or the platform in an unintended way. If for example a user was able to take DAI, REP, or shares in a market that they were not entitled to this would be a loss of funds bug. Also included in this would be any bug allowing someone to lock up funds in such a way that they are irrecoverable.

Manipulating of Open Interest:

Augur's contracts keep a record of the current Open Interest (OI) escrowed within the platform for trading. This value is used to determine the fee which is taken from traders and paid to reporters on a weekly basis. If someone can find a way to arbitrarily manipulate this value they could render the platform unusable by increasing fees to an absurd amount (33%) or keep them incorrectly low (0.01%). OI should only be “manipulatable” through the purchase and sale of complete sets and with the correct amount of corresponding ETH escrowed in markets)

Forking State:

One of the key features Augur provides is the ability to fork the platform into multiple universes, each corresponding to an outcome in a market that proved too contentious for traditional dispute mechanics. When this happens the system enters a special state called “forking” and new child universes get spawned that should behave normally. Because this behavior is complicated and difficult to create and think through completely it is worth investigating specifically to see if any broken state arises or could be caused during forking.

We encourage all hackers, attackers, security researchers and engineers to check out the program and assist in hardening the security of Augur leading up to deployment. Questions, comments, and discussion surrounding the program can be had in the #bounties channel of the Augur Discord.

Happy hacking!