[Temperature Check] Strategic Partnership Aura <> Blockwarden for Bug Bounty Program

Author: Blockwarden

Website: Blockwarden.io
X: Blockwarden_io

Hi Team Aura!,

We were recommended by James to get in touch with the DAO here so we would like to put forward our proposal!

I. Summary:

Aura Finance has a paramount responsibility to ensure the robustness and security of its systems. To fortify Aura Finance’s cybersecurity posture even further, we propose the deployment of Aura Finance’s Bug Bounty Program on Blockwarden. This would also expand the reach of the BBP to a broader community of white-hat hackers (Wardens) without incurring additional costs

II. Facts & Figures:

  1. Approximately 25% of all smart contracts are susceptible to potential security breaches.
  2. 52% Increase in DEX trading market share since November ‘22; reliant on autonomous smart contracts
  3. There exist more than 20 attack vectors that pose potential risks in to smart contracts

III. Background:

  1. Philosophy: At the core of our principles lies the belief that “Trust is paramount in Web3.” To establish and uphold this trust, Web3 projects must prioritise the security of their code. Bug bounty programs not only fortify smart contracts but also foster a spirit of community and transparency as essential components of this commitment to trust.

  2. Cost-Effective Security Testing: Deploying your bug bounty program additionally on Blockwarden enables the Aura team to access a diverse pool of top security researchers and developers without incurring any fees, making it a cost-effective way to identify and remediate potential threats on new deployments. By doing so, Aura Finance also eliminates the necessity for a dedicated internal security team, offering greater flexibility in budget allocation.

  3. Time Efficiency: Blockwarden can help further optimise the bug reporting process, expediting the identification and resolution of vulnerabilities while filtering out low-quality submissions. This efficiency is crucial in mitigating potential threats especially from malicious actors and black-hats.

IV. Specification:

  1. Documentation: The Aura team communicates the parameters of the program and reward structures. These details can be replicated from the existing bug bounty program documentation.

  2. Deployment:The bug bounty program operates on the Blockwarden website, where vulnerability reports are submitted by wardens. There are no platform or maintenance fees on Blockwarden.

  3. Deliberation: Blockwarden filters out low-quality submissions, including those generated by AI, spam, out-of-scope, and duplicates. The curated submissions are then presented to the Aura team through the agreed-upon portal.

  4. Decision: Adhering to the agreed-upon SLAs, Aura has the discretion to either accept the reported vulnerability and proceed with rewarding the warden or decline the vulnerability report. If accepted, the warden is paid and Blockwarden will take a 10% commission fee from within the bounty.

V. Conclusion:

In conclusion, additionally deploying the Aura Finance Bug Bounty Program on Blockwarden offers a strategic advantage by tapping into a wide pool of talent, ensuring cost-effective security testing, and fostering a proactive security culture.

1 Like

Hello! Thanks for your message!

Just some clarifications: Aura has no team, only contributors, and it is governed by AuraDAO.
Can you explain better which actions are required from the DAO?

1 Like

Of course.

The AuraDAO already has a bug bounty program in place and so we’re essentially looking to redeploy the bounty on our marketplace. This is a free process and would involve copying over the current bounty program details.

What is required from the AuraDAO in order to make this a seamless process is:

  • An agreed upon portal to deliver our high quality vulnerability submissions
  • An agreed upon private channel for the discussion of submitted reports (Triage)
  • An agreed upon payment method for Wardens who submit successful reports
  • A group signature on onboarding contract (To be voted on by AuraDAO) in order to ensure SLA’s & Terms will be respected. (We understand this may be difficult so we’re open to discussion/alternative methods)

Please let me know if you would like further clarification on any of these points. :+1:

Hi Aura,

Bumping this to hopefully gain a reply/insight into the current feelings around this.

We’re looking to keep the aspect of decentralisation alive with the reposting of this bounty.

Since the details can be found here: Aura Finance Bug Bounties | Immunefi, it would just be a matter of copying over this bounty.

We’re currently building a “Nexus” in which wardens can gather intel, complete bug & task based bounties & interact with other wardens. To do this, we would like many high quality bounties to help attract the top talent and provide projects with high quality submissions, almost similar to an infinite loop.

If this all makes sense, we would love to feature the Aura bounty on our platform. Looking forward to any feedback, cheers!