Open in app

Sign in

Write

Sign in

Aleph Zero: Bridge Relayer — Audit Competition- rewards up to $32K in USDT

HatsFinance
7 min readMar 26, 2024

Starting March 26th, 2024, at 15:00 GMT to April 9th, 2024, at 15:00 GMT

We invite all white-hat hackers to join the hunt for Aleph Zero’s third competition, the Relayer for Most (bridge between Aleph Zero and Ethereum).

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting March 26th, a new vault will open in the Hats dApp — “Aleph Zero: Relayer”.
Participants can check the code in scope and start searching for bugs.

Aleph Zero is a public blockchain offering advanced privacy in smart contracts, thanks to its AlephBFT consensus protocol. Ideal for enterprises, DeFi, and gaming, Aleph Zero supports scalable and secure Web3 apps, balancing privacy with transparency.

The code in the scope of this audit is the Rust implementation of the relayer: The component responsible for signing cross-chain messages (operated by a committee member). We note that the bridge contracts are being audited in a separate competition — one that started a week earlier.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition.
Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards

  • Deposited Amount: The deposited ~$40K in USDT, making the available prize pool ~$32K in USDT.
  • Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
  • Severities: Minor, Low, Medium, High, Critical.

Reward Calculation Explained

The entire prize pool for this audit competition is up for grabs across all severity levels. Each level has a maximum reward cap and a designated point value, which are both used to calculate the rewards.

Maximum Reward Caps per Submission:

  • Minor Severities: 1,000 USDT
  • Low Severity: 2,000 USDT
  • Medium Severity: 4,000 USDT
  • High Severity: 8,000 USDT
  • Critical Severity: 16,000 USDT

Points Allocation per Severity:

  • Minor: 1 point
  • Low: 2 points
  • Medium: 4 points
  • High: 8 points
  • Critical: 16 points

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 2 points each. This standard applies to all severities.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Winner’s Reward= Prize pool / Total points awarded*Winner’s points

​However, the reward for each finding cannot exceed the maximum cap for its severity level.

Examples for Clarity:

Example #1:

  • 1st Low Severity: 2 points
  • 2nd Low Severity: 2 points
  • 1st Medium Severity: 4 points
  • 1st High Severity: 8 points
  • 2nd High Severity: 8 points
  • 3rd High Severity: 8 points

In this scenario:

  • Reward for 1 Low Severity Finding = 32,000 USDT/32 Total points * 2 Points = 2000 USDT
  • Reward for 1 High Severity Finding = 32,000 USDT/32 Total points * 8 Points = 8000 USDT
  • Value of 1 Point = 1000 USDT

Example #2:

  • 5 Low Severity Findings: 10 points total

Here:

  • Reward for 1 Low Severity Finding = 32,000 USDT/10 Total points*2 Points=6,400 USDT
  • However, since the cap for a Low Severity finding is 2,000 USDT, the reward per Low Severity finding is adjusted to 2,000 USDT.

Severities

Submissions in all categories require a PoC (proof of concept) in the form of a working unit test or e2e test.

Critical Severity

For the “critical” severity, only attacks that don’t require access to accounts with special rights (owner or committee members) are in scope. Moreover, we only consider a vulnerability critical if it involves a significant loss of funds (concrete numbers below) under realistic assumptions: The protocol holds a TVL of the order of 100M USD and allows bridging popular, trusted ERC20 tokens, such as USDT, USDC, wETH, etc.

  • Unauthorized unlocking (on Ethereum) of tokens or minting (on Aleph Zero) of bridged tokens, resulting in a significant drop of bridge TVL (>5k USD value) and, thus, noticeable protocol loss.
  • Leaking relayer private key.

High Severity

  • All impacts listed as in “critical”, but possibly requiring at least one dishonest committee member (one of the relayers).
  • Making any of the relayers sign a message not intended by the bridge protocol.
  • A relayer losing its private signing key due to a bug or vulnerability in the software.

Medium Severity

  • The bridge stops relaying messages, and restarting one or all of the relayers does not resolve the problem.

Low severity

  • Correct cross-chain transfers pending indefinitely (require manual intervention by operators), not caused by congestion or network instability.
  • Information leakage — forcing a relayer to leak any unintended information through any channel like an IP network or chain.

Minor severity

  • Correct cross-chain transfers pending for a long time (longer than 1 hour), but eventually being executed, not caused by congestion or network instability.

Not in scope:

  • Attacks that are naturally possible when the security assumptions of a multisig are not met:
  • If there are >=t dishonest committee members, they can collude and do everything they want, including stealing all the funds,
  • If there are >N-t dishonest committee members, they can collude and stop the protocol from making progress, including freezing the funds permanently.
  • Attacks that require large congestion on either network: so full blocks, large gas prices.
  • Attacks caused by DDoS or other disruptions on the network layer: Either of the two RPC endpoints being unstable.
  • Attacks assuming consensus failure on either of the chains (revert of finalized blocks).
  • Loss/freezing of funds caused by user error: For example sending tokens to addresses that cannot receive funds/user has no access to.
  • Attacks that require special conditions: malicious tokens, mistakes in governance actions, unless specifically allowed in impact categories.
  • Centralization risks.
  • Issues related to the following known bug in the aleph-client dependency https://github.com/Cardinal-Cryptography/aleph-node/blob/de042d623db1cb10c3c3629ff4386d7ce5b82be2/aleph-client/src/contract/event.rs#L197 — the `zero_prefixed` function is invalid, and could cause incorrect or failed decoding of long events. This is a bug in the dependency that will be fixed before the deployment.
  • The audit exclusively encompasses the written software, while the infrastructure, whether cloud-based or self-hosted, falls beyond the audit’s scope.

Submission Guidelines — Critical/High/Medium/Low/Minor severities:
General Information:

  • The Hats team will create a new repository called “Aleph Zero: Bridge Relayer audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
  • How it Works: Video Explanation

SUBMISSION GUIDELINES:

  • Submissions should be made using our Dapp.
  • You can submit one on-chain submission mentioning all issues found on the repo.
  • All new submissions will be created on Hats forked repo on Hats: Hats GitHub

Report Format:

  • Please send a plain ASCII description in the following format:
  • [TITLE]: A short description of the issue.
  • SEVERITY: Either Critical, High, Medium, Low, or Minor (as per the rules).
  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report Template:

  • Description: Describe the context and the effect of the vulnerability.
  • Attack scenario: Describe how the vulnerability can be exploited.

Attachment:

  • Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
  • Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
  • Comment with a clear explanation of the proposed fix.
  • The revised code with suggested changes.
  • Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
  • Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.***

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
  • The competition starts on March 26th at 15:00 GMT and ends on April 9th at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of ~$32K In USDT and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join Aleph Zero’s Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

Audit Competition
Smart Contract Auditing
Smart Contract Security
Hats Finance
Aleph Zero

--

--

HatsFinance

Written by HatsFinance

336 Followers

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams