Starting Oct 26th , 2023, at 16:00 GMT to Nov 9th, 2023, at 16:00 GMT
Hats arbitration feature audit competition is open to all experience levels. Auditors and white hat hackers who have previous experience with Hats V2 contracts or engaged in Hats V2 audit competition will find this competition best suited for them.
About the Competition
Starting Oct 26th, Hats dApp will unveil a fresh vault — “HATs arbitration contracts”. Enthusiasts and participants can delve into the contracts in scope and commence their bug hunt.
While the competition encompasses all contracts integral to the HATs system, our primary interest lies in the modifications post-V2.0.
What’s New Since Our Last Release?
- Introduction of an arbitration procedure: In case of payout disputes, the matter can be elevated to an Expert Committee. If a consensus remains elusive, the Kleros court steps in. The expected behavior of this system is documented here.
- Segregation of the main contract, HATVault.sol, into two distinct files: HATVault.sol and HATClaimsManager.sol.
- Addition of auxiliary contracts, notably the PaymentSplitter.sol.
For reference, the v2.0 contracts currently in operation can be accessed here.
In this competition, while conventional programming errors are of interest, we’re particularly keen on identifying potential abuse or hijacking of the arbitration procedure. Note: It’s the implemented behavior that’s pivotal. Documentation errors, though valued, won’t be rewarded.
Hats Finance stands at the forefront of decentralized Web3 security infrastructure, zealously protecting assets for a vast DeFi user base. Aspiring to be the decentralized security linchpin for Web3, Hats ardently embodies the DeFi ethos, leveraging distributed security mechanisms to fortify the Web3 landscape.
Hats’ Diverse Product Suite:
- Audit Competitions: Time-sensitive audit calls, facilitating swift engagement with elite auditors in a competitive milieu.
- Bug Bounties: A decentralized bug bounty framework echoing Web3 tenets, featuring liquidity vault contributions, on-chain submissions, and a decentralized arbitration mechanism for settling disputes.
- Encrypted Communication: Ensuring confidential dialogues between individuals and protocol committees.
- Automated Escrows: Guaranteeing secure transactions for sensitive data.
- Synergies and Risk Sharing: Central to Hats is the alignment of incentives, nurturing collaboration across the spectrum — from protocols and users to security mavens and the Hats platform.
Spotlight on Decentral Arbitration
Decentral Arbitration isn’t just another feature; it’s a game-changer. It addresses a pivotal need in the audit landscape — unbiased dispute resolution. Auditors, the sentinels of system and application integrity, often face disagreements over their discoveries or reward allocation. Decentralized arbitration introduces a transparent, accountable layer to the competition, granting auditors a voice in impartial dispute resolution.
The essence of this feature is its potential to amplify trust within the audit ecosystem. Auditors can operate with the assurance that their diligence is fairly assessed and their contributions aptly acknowledged.
Audit Competition Rewards
- Prize pool: ~$20K in USDC
- Service Fee: No service fee will be taken in this competition
The total prize pool for High severities is set at ~$11,400 in USDC.
Each new issue gets 1 point. The total High-severity reward will be divided between all accepted issues.
High-severity vulnerability description:
For a submission to be considered a High-severity vulnerability, issues must:
- Direct theft of any user funds, whether at rest or in motion
- Long-term freezing of user funds
- Theft or long-term freezing of unclaimed yield or other assets
- Protocol insolvency
The total prize pool for Medium severities is set at ~$6,000 in USDC
Each new issue gets 1 point. The total Medium severity reward will be divided between all accepted issues.
Medium severity vulnerability description:
Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:
- Gas griefing attacks (make users overpay for gas)
- Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
- Short-term freezing of user funds
The total prize pool for Low severities is set at ~$2,000 in USDC.
Each new issue gets 1 point. The total Low severity reward will be divided between all accepted issues.
Low severity vulnerability description:
- Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.
The total prize pool of Gas Saving severity is set at ~$600 in USDC.
This competition will reward participants with ideas to maximize gas savings.
- The first place gets ⅔ (66.6%) of the prize pool.
- The second place gets ⅓ (33.3%).
Gas Saving Guidelines:
- Submissions should contain links to zip files with a copy of the project repository containing the gas-saving changes commented with ‘//Gas saving, with the test suite unchanged.
- Please use Google Drive or a similar service and attach the link to your submission.
- Optimizations should use solidity (no inline assembly).
- Due to the rules category, submissions will not be public and will only be shared with the committee.
- Entries will be measured on the total average amount of gas used for each function (i.e., the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter when running the tests in the repository.
Reporters will not receive a bounty for any known issue, such as:
- Issues mentioned in any previous audit reports
- Vulnerabilities that were already made public (either by HATs or by a third party)
- “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
- Attacks that require access to leaked private keys or trusted addresses
- Issues/contracts mentioned in the out-of-scope section
Submission Guidelines — High/Medium/Low severities:
- The Hats team will create a new repository called “Hats Audit Competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
- How it Works: Video Explanation
- Submissions should be made using our Dapp.
- You can submit one on-chain submission mentioning all issues found on the repo.
- All new submissions will be created on Hats forked repo on Hats: Hats GitHub
- Please send a plain ASCII description in the following format:
- [TITLE]: A short description of the issue.
- SEVERITY: Either High, Medium, or Low (as per the rules).
- Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.
- Description: Describe the context and the effect of the vulnerability.
- Attack scenario: Describe how the vulnerability can be exploited.
- Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
- Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
- Comment with a clear explanation of the proposed fix.
- The revised code with suggested changes.
- Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
- Recommendation: Describe a patch or potential fix for the vulnerability.
***Due to the nature of the audit competition mechanism, the report will not be encrypted.
- The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
- The competition starts on OCT 26th at 16:00 GMT and ends on NOV 9th at 16:00 GMT.
- Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.
Compensation and Impact
A prize pool of ~$16K In USDC and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.
Compensation payment timeline:
- Ten days after the competition ends, we will announce a winner list.
- Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
- Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.
Join Hats Audit Competition today and be a part of the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.
Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions