Open in app

Sign in

Write

Sign in

Complete Audit Cycle — Rules and Guidelines for Security Researchers

HatsFinance
5 min readJan 24, 2025

--

Below is a concise set of guidelines for security researchers and top auditors to leverage the Complete Audit Cycle in their Hats Finance audit competitions. This new feature rewards researchers not only for identifying vulnerabilities but also for delivering fully tested and production-ready fixes.

You can also check the process to submit vulnerabilities, claim and submit fixes and tests in this short video we’ve prepared:

In this document, we’ll show you the overall rules and specifications for the whole process, from submitting issues (and how the process changes with the Complete Audit Cycle), to claiming and submitting fixes and tests to earn additional rewards.

Guide for Security Researchers: Submitting Vulnerabilities

A. Understanding the Complete Audit Cycle

  • Primary Goal: Identify vulnerabilities.
  • New Option: Optionally, provide a fix and test for the issue, if you meet eligibility requirements for ‘Top contributor’ (top 20% on the leaderboard with $5,000+ in earned rewards on Hats’).
  • Rewards: Earn more points for submissions that include a fix and test, if accepted.
  • Collaboration: If you do not claim a fix or test or you’re not a top contributor, other security researchers (with $5,000+ earned rewards) can claim the opportunity to write them.

B. Submitting Your Vulnerability

1. Review Competition Rules

  • Check the specific competition (vault) guidelines on Hats Finance for details about scope, out-of-scope items, and severity definitions.

2. Find and Document the Vulnerability

  • Provide clear, replicable steps or proof of concept (PoC).
  • Classify the severity of the vulnerability (Low, Medium, High, Critical) according to the sponsor’s rules or Hats guidelines.

3. Optional: Claim and submit a Fix and Test in the next 12h (Only if you meet Top Auditor criteria)

  • Fix: Provide a code snippet or patch that resolves the issue.
  • Test: Write tests that validate the fix and follow the project’s test patterns and style.
  • If you cannot complete the fix/test, or do not wish to, another qualified researcher can claim it.

4. Submit the Report

  • Use the Hats submission form or the designated competition submission portal.
  • Include all supporting evidence for the vulnerability.
  • If you are also providing a fix/test, attach or reference it clearly.
  1. Follow Up on Sponsor Feedback
  • Sponsors may ask for additional details or clarifications.
  • If your fix or test is incomplete, the sponsor can mark it as “incomplete,” allowing others to claim it.

C. Earning Points and Rewards

  • Base Points: Determined by the issue’s severity (e.g., Low = 1 point, Medium = 2 points, etc., subject to the vault’s rules).
  • Extra Points for a Fix: +10% of the points awarded for the vulnerability.
  • Extra Points for a Test (if applicable): +5% of the points awarded for the vulnerability.

Example: If a Low issue is worth 1 point, then:

  • Fix accepted = +0.1 point
  • Test accepted = +0.05 point

Note: These calculations remain consistent, but the actual point values can vary by competition.

Important: Percentages for fixes and tests remain consistent across all competitions, but the number of points and maximum rewards vary depending on the specific vault and competition details.

2. Guide for Top Auditors: Claiming Fixes and Tests

A. Eligibility Criteria

  • Leaderboard Status: Must be in the top 20% of the Hats leaderboard.
  • Earnings: Must have at least $5,000 in earned rewards on Hats Finance.

Once you meet these criteria, you are considered a “top contributor” and can claim the option to add or improve fixes/tests for vulnerabilities submitted by others.

B. How to Claim a Fix or Test

1. Identify a Vulnerability Submission

  • Look for a newly reported issue in the current audit competition that does not yet have a fix/test or has been marked “incomplete” by the sponsor.

2. Click Claim issue

  • Claim the fix/test. You have a 12-hour window once you claim it.

3. Provide a Complete Fix and/or Test

  • Follow the Project’s Code Style: Ensure your code aligns with the sponsor’s coding guidelines and quality standards.
  • Write Thorough Tests: Demonstrate that your fix resolves the vulnerability without introducing new issues.
  • Submit Promptly: You must finalize and submit within the 12-hour claim window.

4. Peer Review & Sponsor Feedback

  • Other top researchers may review your code; sponsors will verify completeness.
  • If the sponsor deems your fix or test “incomplete,” the opportunity reopens for another top contributor to finalize it.

C. Points and Rewards

  • Fix: +10% of the base vulnerability points.
  • Test: +5% of the base vulnerability points (if a test is relevant).
  • These points are added on top of the existing reward for the vulnerability submission.
  • In the event of Partial Submission: If you only submit a fix and skip the test (when a test is actually needed), it may be deemed incomplete, allowing another auditor to complete the missing part.

D. Tips for Success

  • Stay Active: Audits can happen quickly, and claim opportunities are first-come, first-served.
  • Quality Over Speed: Ensure your submission is production-ready, as sponsors want to merge high-quality code.
  • Collaborate: You can discuss with original reporters or other top researchers, if necessary. A well-reviewed fix is more likely to be accepted quickly.

Additional Notes

  • No Extra Budget Needed: Sponsors do not need to increase budgets for the Complete Audit Cycle. The total reward pool is redistributed to accommodate the fix/test bonuses.
  • Maintaining High Standards: Both sponsors and the Hats community value well-documented and tested solutions. Thoroughness can lead to a higher reputation and more consistent earning opportunities.
  • Incompletes Reclaimed: Any fix or test flagged as incomplete can be reopened for claims by other top contributors.

Conclusion

The Complete Audit Cycle at Hats Finance encourages a more robust security process — from finding vulnerabilities to fixing and testing them. This approach:

  • Increases the quality and readiness of sponsor code.
  • Rewards researchers with additional points and higher standing.
  • Promotes a decentralized development spirit where security meets practical implementation.

We look forward to seeing your contributions under this new system. Stay tuned for upcoming competitions that will launch the Complete Audit Cycle and start building your Hats profile to reach that top 20% + $5,000 milestone.

Happy hunting and fixing!

--

--

HatsFinance
HatsFinance

Written by HatsFinance

477 Followers
5 Following

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams