Security Proposal: Refund Request for Astar Bug Bounty Program with Immunefi


Hi everyone! My name is Xin Xing and I am the Senior Finance Manager of Astar Network. Here at Astar Network, ensuring the safety and security of our ecosystem is our top priority. While our talented team of developers works tirelessly, we recognize the importance of additional measures to safeguard against vulnerabilities.

To bolster our defenses, we have worked closely with Immunefi to collaborate with white hat hackers in identifying and addressing potential vulnerabilities within our ecosystem. This proactive approach enhances our ability to maintain a secure environment for all users.

In line with this initiative, we are reaching out to propose for a refund of 353,950 USD worth of ASTR from the Astar Treasury to the foundation. These funds were allocated to compensate for the efforts of these skilled white hat hackers in bolstering our security measures.


In the dynamic and rapidly evolving landscape of blockchain technology, security risks are omnipresent. From smart contract vulnerabilities to the threat of 51% attacks, the complexity of these risks underscores the importance of not only understanding but also actively mitigating them. It is imperative that we remain vigilant in safeguarding the integrity and resilience of our platform against potential threats.

Bug bounty programs emerge as a pivotal and proactive strategy against potential security breaches. By offering incentives to ethical hackers and security researchers, we harness the expertise of a global community to uncover and remediate vulnerabilities before they can be exploited by malicious actors. These programs serve as a crucial early-warning system, enabling us to identify, detect, and address potential weaknesses in our security infrastructure, thereby bolstering the overall resilience of the Astar Network ecosystem.

In essence, bug bounty programs are not merely a reactive measure but rather a proactive and collaborative effort to defend ourselves against potential threats. They demonstrate our commitment to continuous improvement in the realm of cybersecurity. Through these initiatives, we can ensure that the Astar Network remains a trusted and resilient platform.


Immunefi is a renowned security platform that facilitates bug bounty programs for blockchain projects. It connects projects like ours with a global community of security researchers, allowing us to proactively identify and address vulnerabilities. Through Immunefi, we can leverage the expertise of white hat hackers to bolster our platform’s security.

Astar Security

At Astar Network, security is paramount. We employ a comprehensive approach that encompasses continuous monitoring, rigorous testing, proactive risk mitigation strategies, and regular audits. Our bug bounty program stands as a vital element within this framework, incentivizing the discovery of vulnerabilities while promoting responsible disclosure practices.


We propose to refund USD 353,950 worth of ASTR from the Astar Treasury to the Foundation to cover the costs associated with our bug bounty program. Additionally, for transparency and accountability, we will provide a list of bug bounties concerned since 2022, detailing the rewards paid by the Foundation. This ensures visibility into how community funds are allocated and reinforces our commitment to security.

Bug bounties concerned since 2022:

6 June 2022

  • Report No : 7555
  • Severity : Low / Web
  • Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
  • Vulnerability : Migrate Astar Portal to Firebase Hosting - Astar domains clickjacking vulnerability

6 June 2022

  • Report No : 7557
  • Severity : Low / Web
  • Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
  • Vulnerability : Broken link hijacking to Potential RCE due to Repository confusion

6 June 2022

  • Report No : 7578
  • Severity : Low / Web
  • Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
  • Vulnerability : Misconfigured Firebase leads to unauthenticated users creating / modifying dApps and stealing users’ funds

13 June 2022

  • Report No : 7553
  • Severity : Medium / Web
  • Amount : 2,500 USDC paid to white hat, 250 USDC to Immunefi
  • Vulnerability : Cross-Site Scripting in dApps project description

27 June 2022

12 February 2023

  • Report No : 16884
  • Severity : Low / Web
  • Amount : 300 USDC paid to white hat
  • Vulnerability : Metrics leak sensitive information(substrate_tasks)

13 February 2023

  • Report No : 16047
  • Severity : Critical / Web
  • Amount : 15,000 USDC paid to white hat, 1,500 USDC to Immunefi
  • Vulnerability : Astar RPC API node crash vulnerability

21 September 2023

  • Report No : 23701
  • Severity : Low / Web
  • Amount : 1,000 USDC paid to white hat, 100 USDC to Immunefi
  • Vulnerability : Reflected XSS vulnerability

10 September 2023


In conclusion, by refunding the allocated funds for our bug bounty program and providing transparency regarding bug bounty expenditures, we demonstrate our dedication to maintaining a secure and resilient Astar Network. Your support for this proposal is vital as we collectively strive to safeguard our platform and uphold the trust of our community.

Thank you for your attention and consideration.


Xin Xing Phua

Senior Finance Manager

Astar Network


Thanks for sharing this overview with the community Xin!


I really wasn’t aware of the relationship we had since Astar with immunefi. I think it’s great that it has come to this!

I support the proposal for the simple fact that Astar is always proactive in keeping its users and applications secure. We need more such initiatives in the ecosystem, hopefully other projects will implement such initiatives.

I reiterate my support for the proposal!


Prevention is better than cure. Every serious protocol should have a bug bounty program. I would fully support this program even if it was much higher. Safety is really very important!


Thanks for sharing the details.
Bug bounties are very important for open source protocols and are an effective way to squash vulnerabilities.

I agree with the refund and encourage we to continue it.

1 Like

I think at the end of the day, good things cost time and effort.

For the stability of the Ecosystem, I’d say it only seems like a good thing, especially if the cost paid out is a big saving and a preventative measure to potentially what could happen from not implementing these methods.

I think it is a good decision and support this.

I am certainly in favor. Ensuring secure functionality is a critical element that requires constant verification. This responsibility should not only fall to the team but also involve external white hat contributions, similar to what is done with Immunefi, to maximize security.

And thanks for sharing the found vulnerabiltiies. Would be great to share this information in the future aswell (with an article like with the report no. 25444). :slight_smile:

1 Like

That is a great idea!

Hello Xin,

Thank you for your various supports regarding finance in the past.

I also believe that your proposal is very important. I am truly grateful for the way you demonstrate your stance and activities towards security, as well as the transparency of the funds.


Security is a compromise. We must spare no expense for a sustainable and safe environment. I thank the team for their contribution and goodwill and support the transfer.

Thanks Xin!


I believe that nothing is more important than network security for both investors and the network itself. I totally agree with the proposal and I think it is the best way to use the treasury. I will support @xxphua :saluting_face:


Thank you for sharing the update and I support the propopsal as I think it is important to have a secured application with the help of those white hat, that’s crucial for the eco.


The most important things in blockchain are security and transparency. Thank you for that, sir.

Best Regards.

1 Like
Refund USD 353,950 worth of ASTR from the Astar Treasury to the Foundation
  • Yes
  • No
0 voters

Voted yes.
Thank you for the proposal. I think it’s a very important topic for Astar Network.

1 Like

I wholeheartedly agree with this outstanding proposal and ‘Yes’ vote!

1 Like

Agreed with this proposal!

1 Like

My vote is yes. Great proposal :ok_hand:

1 Like

I support the proposal!

1 Like

Security is always the number one priority! I support this initiative.

1 Like