Our latest audit competition with Gravita Protocol has officially ended. Once again, we’re amazed by the hard work and skills of the white hat hacker community. We thank every participant for their strong commitment towards web3 security.
Through this writeup, we hope to shed light on the rigorous process behind each audit competition, advocating for greater transparency between projects and security researchers.
About the competition:
The competition started April 24th and ended May 8th. We received a total of 90 submissions, out of which 16 were valid.
3 medium severities
11 low severities
1st place: 0xb…4ad
2nd place: 0x3…40A
try catch code in PriceFeed.sol#_fetchCurrentResponse can be gas bomb and drain the user gas: gas griefing attacks (e.g. make users overpay for gas) are medium severity.
In VesselManagerOperations too big _vesselArray can cause state of DoS: we initially considered it as low severity as the user is choosing the number of vessels to liquidate. No attacker is imposing this gas cost on users if they selected a number that is too big. That said, we have changed the code to enforce a maximum batch size and will consider this issue as medium severity.
Permanent loss of cbETH funds: While we initially considered cbETH as a collateral type we would support, we have decided that it will not be available on our platform at launch. If, in the future, we decide to include a censorable collateral, we will add additional mechanics in upcoming contract upgrades to circumvent such limitations
Update initializer modifier to prevent reentrancy during initialization: If an exploit would be feasible it would be done at the moment of deployment, not compromising any user funds (since there are no user funds in the platform during deployment). This would lead to a small loss for Gravita for a new deployment, hence considered low severity.
Un-Upgradeable Contracts: If there was any issue on the upgradeability, it would have an impact on the behavior being different from what we expected, but without any direct loss of funds (only another vulnerability would be able to cause loss of funds), hence we considered this a low severity.
The Timelock contract need a receive function: We don’t support unwrapped ETH on the platform so there’s no harm in the Timelock not supporting it as well. We are adding the receive function to be future proof.
Missing validation in latestRoundData: While Liquity, Vesta, and Yeti were the protocols we used as a starting point, we have noticed that none of them consider the ‘answeredInRound’ value, relying instead on the ‘updatedAt’ timestamp to check for data staleness. We appreciate your suggestion and have taken note of it. We will consider adding a second validity check to our platform.
Timelock contract execution delay can be ineffective and not usable if the execution delay is more than grace period: We’ll implement an additional check to avoid mistakes when creating timelock transactions
Out of gas in collectFees: We appreciate the report and have fixed the code.
SortedVessels linked list could have more element than maxSize: we are not enforcing a max size on the vessel list. We never iterate through the list in our codebase, so we should not have gas issues related to the list size. The isFull function and max size were left behind but can also be removed.
OwnableUpgradeable is not initialised for StabilityPool and VesselManager contracts: code was fixed
GRAI can be borrowed against an inActive asset: We have another parameter that can be used to limit minting of GRAI from a type of asset (mintCap). We’ll consider removing the duplicity.
ERC20Token/ETH chainlink oracle has too long of heartbeat and deviation threshold which will cause loss of funds: we appreciate the suggestion and assigned a “low” severity
Gas Savings Winners
The gas savings category was based on submissions with the most gas savings. The winning submissions provided many upgrades across the entire codebase.
We particularly appreciate the top submission for its breadth across the whole codebase.
The top two submissions received ⅔ and ⅓ of the gas savings prize respectively.
Low and Disqualified submissions
We had many submissions that were not eligible as out of the audit scope (see https://hatsfinance.medium.com/get-ready-for-a-new-audit-competition-coming-to-hats-finance-up-to-105k-in-prizes-8bbcf3d51034), duplicates or known issues.
Many entries also disregarded the submission guidelines requested (e.g. they were missing the PR with the proposed code changes or test demoing the vulnerability).
As a general suggestion, we recommend all auditors to make themselves familiar with the competition rules before the start of the audit.
Final Remarks from the Gravita Protocol Team
We are grateful to the Hats team for organizing this competition and all the auditors who participated. We really appreciated having so many eyes on our code and we identified some bugs or improvements that were missed in our audit round.
Our recommendation to the Hats team is to streamline the process, which can become very cumbersome: the current system (requiring a vault submission, a github issue and PR) requires a lot of manual work to link together the different databases. We heard a new process is coming and are very excited to see it live.
Hats final note:
We apologize for the delay in publishing this article. We have been busy achieving our goals during the Raft competition and preparing for the upcoming one with Vmex, which will continue until July 3, 2023.
It is important to highlight that the Gravita team’s commitment to the evaluation process was exemplary. They provided thorough explanations to the security researchers during and after the competition, ensuring transparency and understanding. Additionally, Gravita disbursed $30,000 USDC out of the $105,000 USDC reward pool, demonstrating the effectiveness of Hats’ unique audit competition mechanism. This mechanism allows protocols to pay only for the achieved results, enabling the withdrawal of the remaining funds.
In light of these achievements, we can summarize the benefits of participating in a Hats audit competition. If you have utmost confidence in your code, engaging in an audit competition can provide an additional layer of assurance. On the other hand, if you have doubts about the security of your code even after an initial audit round or two, an audit competition serves as a valuable opportunity to enhance the safety of your contract deployment. Creating a secure ecosystem is paramount, and by incorporating the Hats audit competition before launching, you can further increase safety for everyone involved.
Now, let’s move on to the updates and improvements we have made based on the feedback received:
- In the Vmex competition, security researchers can now submit their findings directly on-chain, which will automatically open an issue on GitHub. This streamlined process enhances transparency and ensures that all submissions are properly tracked.
- We have introduced a template to guide security researchers to structure their submissions. This template will help ensure that all relevant information is included, making the evaluation process more efficient.
- We have implemented a feature that allows for multiple submissions within a single transaction. This simplifies the submission process for security researchers, enabling them to include multiple findings in a convenient manner. Look for the “+” sign to utilize this feature.
- The committee overseeing the competition now has the ability to download all the submissions from GitHub and export them to an Excel sheet. This facilitates evaluation and analysis of the findings.
- To address concerns regarding report security, gas savings will now be encrypted and not publicly accessible. This means that researchers can confidently submit their reports on-chain, knowing that their work will be protected and not vulnerable to unauthorized copying.
Thank you for your understanding and patience. We strive to continuously improve our processes and provide a more secure and efficient platform for security researchers. If you have any further questions or feedback, please do not hesitate to reach out to us via Discord or Twitter.