Aleph Zero Audit Competition- rewards up to $80K in USDT

HatsFinance
6 min readJan 17, 2024

Starting Jan 18th, 2024, at 15:00 GMT to Jan 29th, 2024, at 15:00 GMT

We invite all white hat hackers to join the hunt on Aleph Zero audit competition

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting Jan 18th, a new vault will open in the Hats dApp — “Aleph Zero”.
Participants can check the contracts in scope and start searching for bugs.

Aleph Zero is a public blockchain offering advanced privacy in smart contracts, thanks to its AlephBFT consensus protocol. Ideal for enterprises, DeFi, and gaming, Aleph Zero supports scalable and secure Web3 apps, balancing privacy with transparency.

Aleph zero contracts in scope for this competition are written in Ink! Language.
The main focus of the competition will be Common, an AMM on Aleph Zero’s L1 with LOC estimation of ~2500.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition.
Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards

  • Deposited Amount: The deposited ~$100K in USDT, making the available prize pool ~$80K in USDT.
  • Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
  • Severities: Minor, Low, Medium, High.

Reward Calculation Explained

For our audit competition, the entire prize pool is up for grabs across all severity levels. Each level has a maximum reward cap and a designated point value, which are both used to calculate the rewards.

Maximum Reward Caps per Submission:

  • Minor Severities: 1,000 USDT
  • Low Severity: 3,000 USDT
  • Medium Severity: 10,000 USDT
  • High Severity: 25,000 USDT

Points Allocation per Severity:

  • Minor: 1 point
  • Low: 3 points
  • Medium: 10 points
  • High: 25 points

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 3 points each. This standard applies to medium and high severities as well.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Winner’s Reward= Prize pool / Total points awarded*Winner’s points

​However, the reward for each finding cannot exceed the maximum cap for its severity level.

Examples for Clarity:

Example #1:

  • 1st Low Severity: 3 points
  • 2nd Low Severity: 3 points
  • 1st Medium Severity: 10 points
  • 1st High Severity: 25 points
  • 2nd High Severity: 25 points

In this scenario:

  • Reward for 1 Low Severity Finding = 25,000 USDT/66 Total points * 3 Points = 1,136.36 USDT
  • Reward for 1 High Severity Finding = 25,000 USDT/66 Total points * 25 Points = 9,469.69 USDT
  • Value of 1 Point = 378.78 USDT

Example #2:

  • 5 Low Severity Findings: 15 points total

Here:

  • Reward for 1 Low Severity Finding = 25,000 USDT/15 Total points*3 Points=5,000 USDT
  • However, since the cap for a Low Severity finding is 3,000 USDT, the reward per Low Severity finding is adjusted to 3,000 USDT.

Severities

High Severity

The total prize pool for High severities is set at ~$80K in USDT.
However, there is a max reward cap of $25k for a single high submission.

Each new issue gets 25 points. The total High-severity reward will be calculated as described in the rewards calculation above.

High-severity vulnerability description:

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Direct theft of any user funds, whether at rest or in motion
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

Medium Severity

The total prize pool for Medium severities is set at ~$80K in USDT.
However, there is a max reward cap of $10k for a single medium submission.

Each new issue gets 10 points. The total Medium-severity reward will be calculated as described in the rewards calculation above.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
  • Short-term freezing of user funds

Low severity

The total prize pool for Low severities is set at ~$80K in USDT.
However, there is a max reward cap of $3k for a single low submission.

Each new issue gets 3 points. The total Low-severity reward will be calculated as described in the rewards calculation above.

Low severity vulnerability description:

  • Gas Griefing Attacks (make users overpay for gas). Gas griefing attacks that require non-standard PSP22 token implementations to work are out of scope.

Minor severity

The total prize pool for Low severities is set at ~$80K in USDT.
However, there is a max reward cap of $1k for a single low submission.

Each new issue gets 1 point. The total Minor-severity reward will be calculated as described in the rewards calculation above.

Minor severity vulnerability description:

  • Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Limitations

Reporters will not receive a bounty for any known issue, such as:

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses
  • Issues/contracts mentioned in the out-of-scope section

Submission Guidelines — High/Medium/Low/Minor severities:

General Information:

  • The Hats team will create a new repository called “Aleph Zero audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
  • How it Works: Video Explanation

SUBMISSION GUIDELINES:

  • Submissions should be made using our Dapp.
  • You can submit one on-chain submission mentioning all issues found on the repo.
  • All new submissions will be created on Hats forked repo on Hats: Hats GitHub

Report Format:

  • Please send a plain ASCII description in the following format:
  • [TITLE]: A short description of the issue.
  • SEVERITY: Either High, Medium, or Low (as per the rules).
  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report Template:

  • Description: Describe the context and the effect of the vulnerability.
  • Attack scenario: Describe how the vulnerability can be exploited.
  • Attachment:
  • Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
  • Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
  • Comment with a clear explanation of the proposed fix.
  • The revised code with suggested changes.
  • Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
  • Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.***

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
  • The competition starts on Jan 18th at 15:00 GMT and ends on Jan 29th at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of ~$80K In USDT and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join Aleph Zero’s Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

--

--

HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.