From November 28th to February 10th, Aragon Courtroom’s contracts have been deployed to Ethereum mainnet for safety researchers to evaluate earlier than they have been activated and open to customers.

In that point, two bugs have been reported by famend safety researcher samczsun, which have been mounted on February ninth, together with unrelated UX enhancements.

In late February, a 3rd bug was found by Bingen, a core contributor to Aragon Courtroom from Aragon One, which was mounted on March 16th.

The bugs didn’t have an effect on any customers.

For full particulars of the findings and upgrades, please learn the total write-up beneath.

As builders, everyone knows there is no silver bullet for designing complicated programs or writing completely safe code. That mentioned, we put plenty of effort into designing the protocol, constructed an exhaustive take a look at suite, and acquired a radical safety audit. However it doesn’t matter what, we all know the presence of bugs is all the time a chance. That is why we designed the protocol to deal with upgrades and ready a contingency plan within the occasion we wanted to repair points or modify the protocol to group wants.

Aragon Courtroom’s protocol was applied following a module-based structure the place every module is answerable for a selected a part of the protocol. The glue between all these modules is what we referred to as the Controller. This structure permits us to have the flexibleness to plug, unplug, or swap these modules simply. The AN DAO at present governs these selections, initially shaped by a gaggle of members trusted by the group on AGP-126, which is able to later be transitioned to a sovereign DAO managed by ANT holders.

Aragon Court V1 Upgrades Disclosures
Aragon Courtroom structure diagram

Through the onboarding interval, we stored doing inside critiques, with the collaboration of exterior safety researchers, leading to a day-1 improve proposal to the group.

Jurors Registry

Probably the most essential fixes was a bug within the JurorsRegistry module of Aragon Courtroom, discovered by samczsun. Sam responsibly disclosed this bug by the AN bug bounty program and helped us in the course of the evaluate course of to ensure these points have been mounted appropriately. It was a pleasure working with him! He’s the primary bug bounty hunter to assert a reward from our bug bounty program.

The principle drawback was associated to the complicated information construction Aragon Courtroom maintains to make sure it could actually effectively draft jurors beneath the block gasoline restrict. Mainly, we hold two information buildings with jurors’ info that have to be up to date concurrently to mirror the identical state. There have been two edge circumstances through which this situation was not met:

  1. When a juror requests an ANJ deactivation, they’ve to attend one time period earlier than they will withdraw their ANJ from Aragon Courtroom. It’s because they might nonetheless be chosen for a dispute in the identical time period they requested the deactivation. If this occurs, the deactivation steadiness requested is decreased to make sure the juror has sufficient lively ANJ to take part within the dispute. The issue was that we weren’t reflecting this in each information buildings, however solely in certainly one of them (see L634-L651). This enabled two doable exploit paths based mostly on whether or not the juror was on the profitable or the shedding aspect of the dispute. Within the case of a profitable juror, it might have resulted in shedding some ANJ as a result of their steadiness was not up to date appropriately on the time of choice. In case of a shedding juror, the dispute itself could possibly be blocked from being settled if the juror did not have sufficient ANJ left in Aragon Courtroom to be penalized as a result of the saved steadiness was reflecting an quantity decrease than the juror’s precise steadiness.
  2. The second situation was particular to a dispute lasting till the ultimate spherical, the place all lively jurors can turn into concerned. We have been updating the info buildings in a different way relying on whether or not the juror had a deactivation request or not (see L377-L387). This may have been an issue in case a juror would have requested an ANJ deactivation whereas voting within the last spherical. It might have brought about the identical conditions defined within the earlier situation, relying on whether or not the juror was on the profitable or shedding aspect of the dispute.

Despite the fact that the chance of prevalence was low, the affect might have been appreciable.

We resolved this situation earlier than anybody might exploit it as a part of the day 1 migration. A brand new model of the JurorsRegistry was deployed with the repair and we submitted a vote to the AN DAO to carry out the swap. For the reason that previous Registry already held tokens and details about jurors from the ANJ pre-activation part (“Part 1”), the migration concerned greater than a easy module swap. We ended up delaying the start of Aragon Courtroom’s first time period to make sure we had sufficient time emigrate all of the balances of the previous occasion to the brand new one, as soon as the pre-activation part ended.

Dispute Supervisor

One other essential situation was found by Bingen, a member of Aragon One and one of many foremost contributors to Aragon Courtroom. This situation was associated to how the proof submission interval was dealt with within the DisputeManager module. Particularly, it resulted in a doable benefit to 1 aspect of the dispute when drafting jurors.

To summarize, disputes observe a lifecycle. Early on in a dispute’s life, the protocol offers a window of time for the concerned events to submit any related proof for jurors to judge later. In circumstances the place all events are executed submitting proof, Aragon Courtroom permits the final submitter to shut the submission course of early and proceed to the following part.

The issue was that in these circumstances, the protocol would use the present time period’s randomness worth—an already recognized worth—to draft the preliminary jurors (see L233). This may have allowed the social gathering that closed the submission course of to see what the draft end result could be, and, if it wasn’t favorable, look ahead to the following time period. Though it might have been doable to do that for under a restricted variety of phrases (at present 7), it nonetheless wasn’t the specified habits.

The repair was easy: when closing the submission interval early, we modified the draft time period to be the following time period (sooner or later) to make sure its randomness was not recognized beforehand. Much like what we did for the earlier bug, we submitted a vote to the AN DAO to carry out the module swap. This time, we did not have to do every other motion to finish the migration.

ANJ activation wrapper

One other situation identified by samczsun was associated to the sensible contract we constructed to simplify and reduce the variety of transactions essential for an account to turn into an lively juror by acquiring and activating ANJ into Aragon Courtroom. The difficulty was that any account with an present ANT approval to the wrapper contract might have their accepted quantity activated by every other account (see L78).

Luckily, the repair was easy, and we solely wanted to deploy a brand new occasion of the wrapper contract which customers can choose into and doesn’t require approval from the AN DAO. We discovered no accounts with remaining approval balances for the previous wrapper contracts.

UX enhancements

We seized the truth that we needed to improve a few of these modules and carried out just a few different modifications to enhance the general consumer expertise of Aragon Courtroom’s dashboard:

  • Improved some occasions emitted by the DisputeManager and JurorsRegistry modules (#244)
  • Allowed jurors to obtain lively ANJ from third events (#245)
  • Allowed jurors to delegate their revealing course of to 3rd events (#246)
  • Improved occasions associated to jury rewards, emitted by the DisputeManager module (#257)


I wish to ship an enormous because of samczsun for his professionalism in disclosing the problems described above and for being responsive in the course of the decision part. Additionally, to the entire Aragon One growth group, particularly to Jorge, Brett, and Bingen for serving to a lot all through the method.

Be part of the mission

We welcome everybody to take part in our bug bounty program. If you’re a hacker, we’ve a $250ok rewards pool with tiers as much as $50ok per bug.

If in case you have any questions or wish to contribute to the mission, come and say hiya! You may attain out to us on our chat and our discussion board.


Learn the unique article right here