Fuji Finance Audit competition: Up to $30K DAI in prizes
Get ready for a new audit competition coming to Hats Finance!
Starting Tue Feb 14, 2023 12:00:00 GMT+0000 — ending Mon Feb 27, 2023 17:00:00 GMT+0000, we will run a competition for Fuji Finance. In this competition, you will be able to showcase your skills, take on a new challenge, and have a tangible impact on the future of the web3 security industry.
Are you ready to accept the challenge? This competition is open to participants from all corners of the world, so whether you’re a seasoned veteran or just starting out, this is the perfect opportunity to demonstrate your passion and drive in this ecosystem.
About the Competition
Fuji Finance is building a DeFi cross-chain money market aggregator, which will be available on Ethereum, Polygon, Arbitrum, Optimism, BNB Chain, and Gnosis Chain. Their dApp scans the money markets, finding the best rates, facilitating automatic refinancing, non custodial loan routing and rebates on gas prices. Starting Feb 14, a new vault will be open in the Hats dApp and participants will search for bugs in the Fuji contract directory (the list of contracts covered by the contest). Prizes will be rewarded based on the severity of each vulnerability
High Severity:
For a submission to be considered a HIGH risk vulnerability, it requires a scenario where users’ funds are at risk (for example an attacker can steal funds from a vault, or users are not able to withdraw their tokens, etc). The total prize pool of $20K will be allocated towards HIGH severity rewards, then be divided based on eligible submissions.
Medium Severity:
For a submission to be considered MEDIUM risk vulnerability, it requires a scenario where the behavior of the contracts differs from intended behavior (as described in the documentation and by common sense). The total prize pool of $7K will be allocated towards MEDIUM severity rewards, then will be divided based on points of eligible submissions
Gas Optimization:
This competition will reward participants with ideas to maximize gas savings. The prize pool of $3k will be allocated towards eligible submissions.
Evaluation of Audit Competition
Each eligible bug submission receives 1 point in their severity category. Based on the number of eligible submissions, prize pools are divided. For example, if there is 1 high-severity issue and 3 medium-severity issues, then submitters of the medium-severity vulnerabilities will be awarded $2.3K each and the submitter of the high severity vulnerability gets $20k.
You can submit one on-chain submission mentioning all issues found on the repo. Please make sure you make separate issues on the repo.
- First participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive reward)
- Participants submit one issue at a time.
- Competition starts on Feb 14th-27th.
- Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.
Submission Guidelines
Submissions should be made using our dApp in the “Fuji Finance Audit Competition” vault.
Refer to this video for more information on submission
https://www.youtube.com/watch?v=c_jR1Iwp7nE
- A github issue describing the problem concisely should be created in https://github.com/Fujicracy/fuji-v2/issues using the “SubmissionAuditCompetition” label. The title should match the title of the on-chain submission in the dapp.
How to submit the Bug reports in the Fuji Finance Github:
• The issue should describe the problem concisely. Use the following format to describe the vulnerability:
### Title
_A 4–5 short word description of the vulnerability_
### Affected smart contract
_The file name of the affected smart contract_
_Permalink to the root cause code within the smart contract where the vulnerability can be attributed_
### Description
_Describe the context and the effect of the vulnerability_
### Attack scenario
_Describe how the vulnerability can be exploited_
### Recommendation
_Describe a patch or a potential fix for the vulnerability_
— — — — — — — — — — — — — —
• Create a PR that contains at least one test demonstrating the problem and, if possible, a potential fix.
To participate in the bounty, you must submit a report through the Hats dApp at https://app.hats.finance/vaults. Please send a plain ascii file following the following format:
TITLE (the short description used previously)
SEVERITY (either high or medium, see the rules):
A LINK TO THE GITHUB ISSUE
PLEASE NOTE!!! Findings that are similar or repeated from the Composable Security report will not be considered. Please first check:
https://github.com/ComposableSecurity/.github/blob/main/reports/2022_11_Fujidao_Labs_OU.pdf
Gas savings
There are two prizes for submissions that lead to the best gas savings: $2,000 in DAI for first prize, and $1,000 in DAI for second place.
- Submissions should be in the form of a fork of our repository @tag v.0.0.1, with the test suite unchanged.
- Optimizations should use solidity (no inline assembly)
- Optimizations in BaseVault.sol and children contracts will be first priority.
- Optimizations in BaseRouter.sol and children contracts will get lower priority.
- All other optimizations will get lowest priority and probably won’t be considered for the reward.
- Measure is: total avg amount of gas saved for each function (i.e. the sum of all numbers in the “avg” column), as reported by the Foundry — gas-report.
Use the following:
forge test — gas-report
The time of the submission is not a factor in determining the winner. Submitters should add the total average gas cost of their submission.
Compensation and Impact
A prize pool of $30K DAI and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.
Security researchers play a crucial role in fostering trust and confidence in web3 technologies, paving the way for mass adoption. By joining this competition, white hats can raise their profile, gain recognition for their work and make valuable connections with other people in the web3 security ecosystem. Ultimately making a social impact and helping create a more secure and equitable community.
The competition starts on February 14th, 2023, at 12:00:00 GMT+0000, and ends on February 27th, 2023, at 17:00:00 GMT+0000.
To take part, check Fuji Finance V2 Audit Competition at https://app.hats.finance/vaults for in-scope contracts and get ready to showcase your skills and contribute to the future of web3 security.
