Argent Starknet Account bug bounty

The logic behind your wallet should be open source, as there shouldn't be anything to hide. Open source smart contracts allow everyone to inspect and improve their security. Our Starknet smart contracts are 100% open source, available for everyone to inspect, and improve the security of our code. That's why Argent is the safest wallet for Starknet.

To encourage constant security reviews, we run a bug bounty program, with rewards commensurate to the seriousness of any issue found. Currently Starknet is in Alpha. Our bug bounty reward size will grow once the ecosystem moves to production.

Here's how the bounty works…

What we want you to investigate

Our two main Cairo smart contracts:

and their dependencies.

All other files in https://github.com/argentlabs/argent-contracts-starknet/blob/main/ are not part of the bug bounty program.

What vulnerabilities to look for

We of course want to know every vulnerability, but in particular:

  • Risk of funds being stolen
  • Risk of funds being frozen or lost
  • Risk of security operations (guardian and escape) being maliciously triggered or prevented

Anything already covered by our audits is NOT in scope.

Overview of how Argent works

Contract specifications

The rules

We follow many of the bug bounty rules that the Ethereum Foundation does:

  • Decisions on the eligibility and size of a reward are the sole discretion of Argent.
  • Any disclosure of a vulnerability to the public or other third parties (such as the media) before Argent makes it public will disqualify the bounty. Issues must be privately submitted to bounty@argent.xyz.
  • Issues must be new to the team. They can’t have already been identified by another user or by an audit.
  • No employees, contractors or others with current or prior commercial relationships with Argent are eligible for rewards. This includes auditors used by Argent.
  • Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it.

Bounty size

The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.

Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Argent.

  • Critical: up to $25,000
  • High: up to $10,000
  • Medium: up to $5,000
  • Low: up to $1,000

Other considerations

In addition to severity, other variables are also considered when Argent evaluates the eligibility and size of a bounty, including (but not limited to):

  • Quality of description. Higher rewards are paid for clear, well-written submissions.
  • Quality of reproducibility. Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.
  • Quality of fix, if included. Higher rewards are paid for submissions with clear description of how to fix the issue.

Please also

  • Remember that you cannot share your report publicly or with others before Argent makes it public.
  • (And hopefully this goes without saying) don’t exploit an issue if you find one
  • Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service

Submission process

Please email bounty@argent.xyz

Own It

We use 🍪 cookies to personalise your experience on Argent. Privacy Policy

Accept

Argent

Company

Security & Support

HQ London, made with ❤️ across Europe