Argent Bug Bounty

Argent Bug Bounty

The integrity of our smart contracts is our highest priority. Our bug bounty program for them has rewards of up to $50,000 (paid in Dai).

Here’s how the bounty works…

What do we want you to investigate?

The following smart-contracts of our master branch

  • Managed.sol
  • Owned.sol
  • CompoundRegistry.sol
  • ArgentENSManager.sol
  • ArgentENSResolver.sol
  • TokenPriceProvider.sol
  • BaseModule.sol
  • LimitManager.sol
  • OnlyOwnerModule.sol
  • RelayerModule.sol
  • ApprovedTransfer.sol
  • CompoundManager.sol
  •  GuardianManager.sol
  • LockManager.sol
  • MakerManager.sol
  • NftTransfer.sol
  • RecoveryManager.sol
  • TokenExchanger.sol
  • TokenTransfer.sol
  • UniswapManager.sol
  • Storage.sol
  • GuardianStorage.sol
  • TransferStorage.sol
  • GuardianUtils.sol
  • BaseWallet.sol
  • Proxy.sol
  • WalletFactory.sol
  • MultiSigWallet.sol

The Argent website or the Argent infrastructure in general is NOT part of this bug bounty program.

What vulnerabilities should you look for?

We of course want to know every vulnerability, but in particular:

  • Risk of funds being stolen
  • Risk of funds being frozen or lost
  • Risk of security operations (lock, recovery, guardians) being maliciously triggered or prevented

Anything already covered by our audits is NOT in scope.

Overview of how Argent works

The rules

We follow many of the bug bounty rules that the Ethereum Foundation does:

  • Decisions on the eligibility and size of a reward are the sole discretion of Argent.

  • Public disclosure of a vulnerability makes it ineligible for a bounty. Instead issues must be submitted to bounty@argent.xyz.

  • Issues must be new to the team. They can’t have already been identified by another user or by an audit.

  • No employees, contractors or others with current or prior commercial relationships with Argent are eligible for rewards. This includes auditors used by Argent.

  • Provide the steps required to demonstrate an issue. If we cannot reproduce an issue we will not be able to reward it.
 

Bounty size

The size of the bounty will vary depending on the severity of the issue discovered. The severity is calculated according to the OWASP risk rating model based on Impact and Likelihood.

Decisions on the eligibility and size of a reward are guided by the rules above, but are, in the end, determined at the sole discretion of Argent.

  • Critical: up to $50,000
  • High: up to $25,000
  • Medium: up to $10,000
  • Low: up to $2,000

 

Other considerations

In addition to severity, other variables are also considered when Argent evaluates the eligibility and size of a bounty, including (but not limited to):

  • Quality of description.
    Higher rewards are paid for clear, well-written submissions.

  • Quality of reproducibility.
    Please include test code, scripts and detailed instructions. The easier it is for us to reproduce and verify the vulnerability, the higher the reward.

  • Quality of fix, if included.
    Higher rewards are paid for submissions with clear description of how to fix the issue.

 

Please also

  • Give us time to investigate anything you report before sharing it publicly or with others

  • (And hopefully this goes without saying) but don’t exploit an issue if you find one

  • Try wherever possible to avoid privacy violations, destruction of data, and interruption or degradation of our service

Submission process

Please email bounty@argent.xyz