Get ready for a new audit competition coming to Hats Finance! Up to $105K in prizes

HatsFinance
5 min readApr 24, 2023

--

Join our global hunt for Gravita Protocol! Spot the bug and win a juicy reward 🤑

We welcome all experience levels; whether you are a seasoned security veteran or amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting April 24, a new vault will open in the Hats dApp — “Gravita Protocol Audit competition.” Participants can check the contracts in scope and start searching for bugs in their contracts.

Gravita offers a decentralized borrowing platform, enabling users to secure interest-free loans using ETH liquid staking tokens (LSTs) as collateral. Their platform is focused on Ethereum decentralization & nurturing top-notch minority LSTs.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server. All audit reports will be published in our Discord on the day of the competition. Don’t miss out on the latest updates and insights — join now and be the first to know!

Audit competition rewards:

High Severity:

The total prize pool for High severities will be ~$75K USDC. However there is a max reward cap of $25k for a single high submission, each new issue gets 1 point. The total High severity reward will be divided between all accepted issues.

High-severity vulnerability description:

High issues are exploitable issues that lead to the loss of user funds. Such issues include:

- Direct theft of any user funds

- Long-term freezing of user funds

- Theft or long term freezing of unclaimed yield or other assets

- Protocol insolvency

Medium Severity:

The total prize pool of Medium severity will be ~$25K USDC. Each new issue gets 1 point. The total Medium severity reward will be divided between all accepted issues.

Medium severity vulnerability description:

Medium severity issues are issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

  • Gas griefing attacks (make users overpay for gas)
  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
  • Short-term freezing of user funds

Low severity:

The total prize pool of Medium severity will be ~$3K USDC. Each new issue gets 1 point. The total Medium severity reward will be divided between all accepted issues.

Low severity vulnerability description:

Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Gas Saving:

The total prize pool of Gas Saving severity will be ~$2K USDC.

The gas-saving prize pool will be shared between the first place, who will get ⅔ of the prize pool, and the second place, who will get ⅓ of the gas-saving pool.

The guidelines are as follows:
- Submissions should be forks of our repository, with the test suite unchanged.
- Optimizations should use solidity (no inline assembly)
- Entries will be measured on the total average amount of gas used for each function (i.e., the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter when running the tests in the repository

limitations

Reporters will not receive a bounty for:

  • Any known issue, such as
  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses
  • Issues that are not responsibly disclosed (issues should typically be reported through our platform)

Evaluation of Audit Competition

Each eligible bug submission receives 1 point in their severity category. Based on the number of eligible submissions, prize pools are divided.
Important note: A Max reward cap of $25k for a single High severity submission only.

For example, suppose there is 1 high-severity issue and 3 medium-severity issues. In that case, submitters of the medium-severity vulnerabilities will be awarded $8.3K each and the submitter of the high-severity vulnerability gets $25k.

You can submit one on-chain submission mentioning all issues found on the repo. Please make sure you make separate issues on the repo.

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward)
  • Participants submit one issue at a time in the Github repo
  • The competition starts on April 24 at 18:00 GMT and ends on May 8 at 18:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Submission Guidelines — High/Medium/Low severities:

- Submissions should be made using our Dapp in the “Gravita protocol audit competition” vault.

  • Please send a plain ASCII file following the following format:
    TITLE (short description of the issue)

SEVERITY (either high, medium or Low)

A LINK TO THE GITHUB ISSUE

  • A concise GitHub issue describing the problem should be created in the project repository.
  • Submission should contain a PR (linked to the issue) with at least one test demonstrating the problem and, if possible, a possible fix.
  • The title should match the title of the on-chain submission in the Dapp.

How to submit the Bug reports in the Gravita protocol Github:

  • The issue should describe the problem concisely. Use the following format to describe the vulnerability:

### Title

A 4–5 short words describing the vulnerability

### Affected smart contract

The file name of the affected smart contract.

Permalink to the root cause code within the smart contract where the vulnerability can be attributed.

### Description

Describe the context and the effect of the vulnerability.

### Attack scenario

Describe how the vulnerability can be exploited.

### Recommendation

Describe a patch or a potential fix for the vulnerability.

— — — — — — — — — — — — — —

• Create a PR that contains at least one test demonstrating the problem and, if possible, a potential fix and link it to the above issue.

Refer to this video for more information on the on-chain submission:

https://www.youtube.com/watch?v=c_jR1Iwp7nE

Compensation and Impact

A prize pool of $105K USDC and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Security researchers play a crucial role in fostering trust and confidence in web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the Gravita protocol Audit Competition today and be a part of the movement to secure the future of web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dapp: https://app.hats.finance/vaults

--

--

HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.