Introduction
Hi everyone! My name is Xin Xing and I am the Senior Finance Manager of Astar Network. Here at Astar Network, ensuring the safety and security of our ecosystem is our top priority. While our talented team of developers works tirelessly, we recognize the importance of additional measures to safeguard against vulnerabilities.
To bolster our defenses, we have worked closely with Immunefi to collaborate with white hat hackers in identifying and addressing potential vulnerabilities within our ecosystem. This proactive approach enhances our ability to maintain a secure environment for all users.
In line with this initiative, we are reaching out to propose for a refund of 353,950 USD worth of ASTR from the Astar Treasury to the foundation. These funds were allocated to compensate for the efforts of these skilled white hat hackers in bolstering our security measures.
Context
In the dynamic and rapidly evolving landscape of blockchain technology, security risks are omnipresent. From smart contract vulnerabilities to the threat of 51% attacks, the complexity of these risks underscores the importance of not only understanding but also actively mitigating them. It is imperative that we remain vigilant in safeguarding the integrity and resilience of our platform against potential threats.
Bug bounty programs emerge as a pivotal and proactive strategy against potential security breaches. By offering incentives to ethical hackers and security researchers, we harness the expertise of a global community to uncover and remediate vulnerabilities before they can be exploited by malicious actors. These programs serve as a crucial early-warning system, enabling us to identify, detect, and address potential weaknesses in our security infrastructure, thereby bolstering the overall resilience of the Astar Network ecosystem.
In essence, bug bounty programs are not merely a reactive measure but rather a proactive and collaborative effort to defend ourselves against potential threats. They demonstrate our commitment to continuous improvement in the realm of cybersecurity. Through these initiatives, we can ensure that the Astar Network remains a trusted and resilient platform.
Immunefi
Immunefi is a renowned security platform that facilitates bug bounty programs for blockchain projects. It connects projects like ours with a global community of security researchers, allowing us to proactively identify and address vulnerabilities. Through Immunefi, we can leverage the expertise of white hat hackers to bolster our platform’s security.
Astar Security
At Astar Network, security is paramount. We employ a comprehensive approach that encompasses continuous monitoring, rigorous testing, proactive risk mitigation strategies, and regular audits. Our bug bounty program stands as a vital element within this framework, incentivizing the discovery of vulnerabilities while promoting responsible disclosure practices.
Proposal
We propose to refund USD 353,950 worth of ASTR from the Astar Treasury to the Foundation to cover the costs associated with our bug bounty program. Additionally, for transparency and accountability, we will provide a list of bug bounties concerned since 2022, detailing the rewards paid by the Foundation. This ensures visibility into how community funds are allocated and reinforces our commitment to security.
Bug bounties concerned since 2022:
6 June 2022
- Report No : 7555
- Severity : Low / Web
- Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
- Vulnerability : Migrate Astar Portal to Firebase Hosting - Astar domains clickjacking vulnerability
6 June 2022
- Report No : 7557
- Severity : Low / Web
- Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
- Vulnerability : Broken link hijacking to Potential RCE due to Repository confusion
6 June 2022
- Report No : 7578
- Severity : Low / Web
- Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
- Vulnerability : Misconfigured Firebase leads to unauthenticated users creating / modifying dApps and stealing users’ funds
13 June 2022
- Report No : 7553
- Severity : Medium / Web
- Amount : 2,500 USDC paid to white hat, 250 USDC to Immunefi
- Vulnerability : Cross-Site Scripting in dApps project description
27 June 2022
- Report No : 8233
- Severity : Critical / Blockchain
- Amount : 250,000 USDC paid to white hat, 25,000 USDC to Immunefi
- Vulnerability : Integer Truncation in EVM Transfer
- Article : Moonbeam, Astar, And Acala Library Truncation Bugfix Review — $1m Payout | by Immunefi | Immunefi | Medium
12 February 2023
- Report No : 16884
- Severity : Low / Web
- Amount : 300 USDC paid to white hat
- Vulnerability : Metrics leak sensitive information(substrate_tasks)
13 February 2023
- Report No : 16047
- Severity : Critical / Web
- Amount : 15,000 USDC paid to white hat, 1,500 USDC to Immunefi
- Vulnerability : Astar RPC API node crash vulnerability
21 September 2023
- Report No : 23701
- Severity : Low / Web
- Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
- Vulnerability : Reflected XSS vulnerability
10 September 2023
- Report No : 25444
- Severity : Critical / Blockchain
- Amount : 50,000 USD worth of ASTR to white hat, 5,000 worth of ASTR to Immunefi
- Vulnerability : Truncate the amount to a
uint128- #25444 - Article : Astar Network Integer Truncation Error Bugfix Review | by Immunefi Editor | Immunefi | Jan, 2024 | Medium
Conclusion
In conclusion, by refunding the allocated funds for our bug bounty program and providing transparency regarding bug bounty expenditures, we demonstrate our dedication to maintaining a secure and resilient Astar Network. Your support for this proposal is vital as we collectively strive to safeguard our platform and uphold the trust of our community.
Thank you for your attention and consideration.
Sincerely,
Xin Xing Phua
Senior Finance Manager
Astar Network
