Aleph Zero Bridge Audit Competition- rewards up to $32K in USDT
Starting March 19th, 2024, at 15:00 GMT to April 2nd, 2024, at 15:00 GMT
We invite all white-hat hackers to join the hunt for Aleph Zero’s second competition, the Aleph Zero Bridge.
All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.
About the Competition
Starting March 19th, a new vault will open in the Hats dApp — “Most: Aleph Zero Bridge”.
Participants can check the contracts in scope and start searching for bugs.
Aleph Zero is a public blockchain offering advanced privacy in smart contracts, thanks to its AlephBFT consensus protocol. Ideal for enterprises, DeFi, and gaming, Aleph Zero supports scalable and secure Web3 apps, balancing privacy with transparency.
The contracts in scope for this competition are written partly in Ink!, and partly in Solidity. The total LOC estimation is ~1900.
To reduce gas costs the competition will run on Arbitrum One.
Please make sure you have some ETH on Arbitrum One to participate in the competition.
We also note that a follow-up competition will be hosted shortly, which will include the “relayer” code, written in rust, that interacts with the contracts being audited.
Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition.
Don’t miss the latest updates and insights — join now and be the first to know!
Audit competition rewards
- Deposited Amount: The deposited ~$40K in USDT, making the available prize pool ~$32K in USDT.
- Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
- Severities: Minor, Low, Medium, High, Critical.
Reward Calculation Explained
The entire prize pool for this audit competition is up for grabs across all severity levels. Each level has a maximum reward cap and a designated point value, which are both used to calculate the rewards.
Maximum Reward Caps per Submission:
- Minor Severities: 1,000 USDT
- Low Severity: 2,000 USDT
- Medium Severity: 4,000 USDT
- High Severity: 8,000 USDT
- Critical Severity: 16,000 USDT
Points Allocation per Severity:
- Minor: 1 point
- Low: 2 points
- Medium: 4 points
- High: 8 points
- Critical: 16 points
Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 2 points each. This standard applies to all severities.
Calculating the Winner’s Reward:
The formula for a winner’s reward is as follows:
Winner’s Reward= Prize pool / Total points awarded*Winner’s points
However, the reward for each finding cannot exceed the maximum cap for its severity level.
Examples for Clarity:
Example #1:
- 1st Low Severity: 2 points
- 2nd Low Severity: 2 points
- 1st Medium Severity: 4 points
- 1st High Severity: 8 points
- 2nd High Severity: 8 points
- 3rd High Severity: 8 points
In this scenario:
- Reward for 1 Low Severity Finding = 32,000 USDT/32 Total points * 2 Points = 2000 USDT
- Reward for 1 High Severity Finding = 32,000 USDT/32 Total points * 8 Points = 8000 USDT
- Value of 1 Point = 1000 USDT
Example #2:
- 5 Low Severity Findings: 10 points total
Here:
- Reward for 1 Low Severity Finding = 32,000 USDT/10 Total points*2 Points=6,400 USDT
- However, since the cap for a Low Severity finding is 2,000 USDT, the reward per Low Severity finding is adjusted to 2,000 USDT.
Severities
Critical Severity
For the “critical” category only attacks that don’t require access to accounts with special rights (owner, or committee members) are in scope.
Moreover, we only consider an attack as critical if it involves significant fund loss (concrete numbers below) under realistic assumptions: the protocol holds a TVL of the order of 100M USD and allows bridging popular, trusted ERC20 tokens, such as USDT, USDC, wETH etc.
- Access to governance actions from non-owner account
- Unauthorized unlocking (on Ethereum) of tokens or minting (on Aleph Zero) of bridged tokens, resulting in a significant drop of bridge TVL (>5k USD value) and, thus, noticeable protocol loss.
- Permanent freezing of user funds (>5k USD value), not recoverable via governance.
High Severity
- All impacts listed in “critical”, but possibly requiring at least one dishonest committee member.
- Theft or permanent (not recoverable by governance) freezing of funds assuming at least one token contract among whitelisted ones (on the Ethereum side) is dishonest, and the stolen/frozen funds are from another contract.
- Theft of committee rewards (on the Aleph Zero contract) by non-committee accounts.
Medium Severity
- Impacts listed under “critical” but with no restrictions on the size of TLV drop.
- Temporary freeze of user funds, or making the bridge unable to function, but recoverable via governance.
- Theft of committee rewards (on the Aleph Zero contract) by committee accounts.
Low severity
- Griefing attacks
- Theft of gas
Minor severity
- Attacks not mentioned in higher categories, but having a negative impact on user experience, or putting one of the contracts in an unexpected state.
Not in scope:
- Attacks that are naturally possible when the security assumptions of multi-sig are not met:
- If there are >=t dishonest committee members, they can collude and do everything they want, including stealing all the funds,
- If there are >N-t dishonest committee members, they can collude and stop the protocol from making progress, including freezing the funds permanently.
- Attacks that require control over the gas-price oracle on Aleph Zero, or that require assuming the gas price oracle is providing incorrect information because of timing or rapid gas price changes on Ethereum.
- Gas optimization.
- Attacks assuming consensus failure on either of chains (revert of finalized blocks)
- Design choices such as committee rotation not being 2-step.
- Loss/freezing of funds caused by user error: for example sending tokens to addresses that cannot receive funds/user has no access for.
- Attacks that require special conditions: malicious tokens, mistakes in governance actions, unless specifically allowed in impact categories.
- Centralization risks.
- Block stuffing, unless the impact is more than temporary.
- Gas theft/unbounded gas consumption by a malicious whitelisted token.
- Issues occurring when dealing with tokens (on Ethereum) whose balances do not fit in u128.
Submission Guidelines — Critical/High/Medium/Low/Minor severities:
General Information:
- The Hats team will create a new repository called “Aleph Zero audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
- How it Works: Video Explanation
SUBMISSION GUIDELINES:
- Submissions should be made using our Dapp.
- You can submit one on-chain submission mentioning all issues found on the repo.
- All new submissions will be created on Hats forked repo on Hats: Hats GitHub
Report Format:
- Please send a plain ASCII description in the following format:
- [TITLE]: A short description of the issue.
- SEVERITY: Either Critical, High, Medium, Low, or Minor (as per the rules).
- Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.
Report Template:
- Description: Describe the context and the effect of the vulnerability.
- Attack scenario: Describe how the vulnerability can be exploited.
Attachment:
- Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
- Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
- Comment with a clear explanation of the proposed fix.
- The revised code with suggested changes.
- Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
- Recommendation: Describe a patch or potential fix for the vulnerability.
***Due to the nature of the audit competition mechanism, the report will not be encrypted.***
Evaluation:
- The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
- The competition starts on March 19th at 15:00 GMT and ends on April 2nd at 15:00 GMT.
- Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.
Compensation and Impact
A prize pool of ~$32K In USDT and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.
Compensation payment timeline:
- Ten days after the competition ends, we will announce a winner list.
- Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
- Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
- HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.
Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.
Join Aleph Zero’s Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.
Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions