Augur Bug Bounty Augur Bug Bounty

Bug & Vulnerability Disclosures

Public disclosure of various known bugs and issues.

Vulnerability Reports:

02.11.19 - Augur UI

8 Outcome Categorical Markets Broken During Disputing. 8 outcome categorical markets hide the last outcome in replace of invalid during a dispute, showing 8 total outcomes when it should be 9 (including invalid). This issue...

12.12.18 - Augur Contracts

Indisputable Reporting via Arbitrarily Large Initial Reports. The initial reporter stake is determined by the REP balance of the specific InitialReporter contract at the time of initial report. This can be arbitrarily...

08.11.18 - Augur Contracts

Incorrect Reporting Fee Calculation. The reporting fee in Augur is calculated and adjusted by comparing the OI within the platform to a target OI which is based on the price of REP. The goal of this is to dynamically adjust...

08.04.18 - Augur UI

Augur UI data can be completely replaced by an attacker which can lead to fund and reputation loss. A third party site can include a hidden iframe which can override "augur-node" configuration variable of a running Augur...

07.31.18 - Augur UI

Full UI hijack via dormant browser service workers. The attack described in this document consists of abusing all modern browser's service worker security policy coupled with Augur's architectural design of running the UI in...

07.20.18 - Augur Contracts

Orderbook Linked List Ordering Bugs. The structure and logic for the on chain orderbook is spread throughout multiple contracts and is somewhat complex. While generally working correctly there are few known contract logic...

07.19.18 - Augur Website

Subdomain takeover on slack.augur.net pointing to GitHub Pages. The slack.augur.net record wasn't removed from the DNS after the migration to Discord (invite.augur.net) and was pointing to a non-existent page on GitHub Pages. So a subdomain takeover...

07.05.18 - Augur Contracts

A miner can manipulate the gas reporting bond. The ETH bond provided during market creation could be manipulated by a malicious miner to become so high that it would be prohibitively expensive for normal market creation. Since this...

What scoring system is used?

The Forecast Foudnation utilizes the Common Vulnerability Scoring System (CVSS) - an industry standard calculator used to determine the severity of a bug. The CVSS enables there to be a common language around the severity of bugs. Read more about CVSS here.

How do I submit a report?

Ideally, you submit bugs and reports via the Augur HackerOne project, where a prompt and timley response is assured. If you believe you have discovered a severe or critical vulnerability where time is ticking, please reach out to any Foundation member in the Augur Discord for an immediate response.