Intuition- Rewards up to $28,000 in USDC

7 min readJun 19, 2024

Starting June 21st, at 15:00 GMT to July 5th, 2024, at 15:00 GMT

We invite all white hat hackers to join the hunt on the Intuition system audit competition.

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you’ve got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting June 21st, a new vault will open in the Hats dApp — “Intuition system”. Participants can check the scope of the contracts and start searching for bugs.

Intro to Intuition
Intuition is an Ethereum-based attestation protocol that makes it easy to create, explore, and incentivize verifiable information. By default, attestations reside on an open social knowledge graph, allowing any developer and its users to harness the wisdom of the crowds.

The Intuition Protocol differentiates itself through a novel architecture that allows for many-to-one relationships between “identities” and “claims” and token-based incentive mechanics for data creation. By making it easy for applications to flexibly create and use attestation data about any subject, Intuition is bringing a new data layer to the decentralized web that facilitates countless new use cases.

Intuition’s initial flagship application allows users to create, navigate, aggregate, and curate attestations regarding people and things within the web3 ecosystem, a space where qualitative reputation and identity data is acutely lacking.

Audit competition info:
The competition code language is Solidity, and the SLOC estimation for this competition is 969 SLOC.

This competition is hosted on Ethereum Mainnet; please make sure you have ETH to submit the reports. You can submit more than one report at the same transaction — search for the plus button.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.

All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards

Deposited Amount: The deposited amount is ~$35K in USDC, making the available prize pool ~$28K in USDC.
Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already had a 20% Hats service fee deducted.
Severities: Low, Medium, High

Rewards and Calculation

The entire prize pool for our audit competition is up for grabs across all severity levels. Severity levels have specific point values, which determine payout cap per submission.

Maximum Reward Caps per Submission:

Low Severity: 400 USDC (equals 1 point)
Medium Severity: 3200 USDC (equals 8 points)
High Severity: 6400 USDC (equals 16 points)

*For simplicity, there is a relation between the points and the cap. If the cap is 400 USDC, it equals a 1.43% allocation from the max rewards.

Points are consistently awarded within each severity level, with all findings at the same level earning the same points unless adjusted by the committee.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Point Value = Prize Pool / Total Points*

*Awarded for the entire competition

Examples for Clarity:

Example #1:

163 Low Severity: 163 points
1 Medium Severity: 8 points
1 High Severity: 16 points

Total points: 187

In this scenario:

Value of 1 Point = 28,000 USDC/187 Total points = 149.7 USDC
The rewards for this example will be as follows:
Low (163 points): $149.7 each, $24,406.4 in total
Medium (8 points): $1,197.9 in total.
High (16 points): $2,395.7 in total.

Example #2

10 Low Severity: 10 points
1 Medium: 8 points

Total points: 18

In this scenario:

Value of 1 Point = 28,000 USDC/18 Total points = 1,555.6 USDC
The results exceed the max reward per low severity, so the value of a point is adjusted.
The rewards for this example will be as follows:
Low (10 points): $1555.6 each -> $400 per each, $4,000 in total.
Medium (8 points): $12,444.4 -> $3,200 in total.

Severities

High Severity

Issues that will qualify for this bracket will be assigned 16 points.

High-severity vulnerability description:

For a submission to be considered a HIGH-risk vulnerability, issues must:

Direct theft of any user funds, whether at rest or in motion
Long-term freezing of user funds
Theft or long-term freezing of unclaimed yield or other assets
Protocol insolvency
Unauthorized manipulation of contract parameters, including timelock and pausability
Unauthorized minting or burning of vault share
A way to avoid expected fees (both static and dynamic fees)
Examples of static fees: Atom creation protocol fee, triple creation protocol fee, atom wallet initial deposit amount, etc.
Examples of dynamic fees: Protocol fee, entry fee, exit fee, atom deposit fraction, etc.

Medium Severity

Issues that will qualify for this bracket will be assigned 8 points.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

Gas griefing attacks (make users overpay for gas)
Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
Short-term freezing of user funds
Unbounded gas consumption

Low severity

Issues that will be qualified for this bracket will be assigned with 1 point.

Low severity vulnerability description:

Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Limitations

Reporters will not receive a bounty for any known issue, such as:

Issues mentioned in any previous audit reports
Vulnerabilities that were already made public (either by HATs or by a third party)
“Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
Attacks that require access to leaked private keys or trusted addresses
Issues/contracts mentioned in the out-of-scope section

Submission Guidelines — High/Medium/Low severities:

General Information:

The Hats team will create a new repository called “ Intuition audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
How it Works: Video Explanation

SUBMISSION GUIDELINES:

Submissions should be made using our Dapp.
You can submit one on-chain submission mentioning all issues found on the repo.
All new submissions will be created on Hats forked repo on Hats: Hats GitHub

Report Format:

Please send a plain ASCII description in the following format:
[TITLE]: A short description of the issue.
SEVERITY: Either High, Medium, or Low (as per the rules).
Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.
Report Template:
Description: Describe the context and the effect of the vulnerability.
Attack scenario: Describe how the vulnerability can be exploited.

Attachment:

Proof of Concept (PoC) File: Provide a file containing a Proof of Concept (PoC) that demonstrates the vulnerability. High-severity findings must include a PoC of the exploit as well.
Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
Comment with a clear explanation of the proposed fix.
The revised code with suggested changes.
Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
Recommendation: Describe a patch or potential fix for the vulnerability.

Due to the nature of the audit competition mechanism, the report will not be encrypted.

Evaluation:

The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
The competition starts on June 21 at 15:00 GMT and ends on July 5th at 15:00 GMT.
Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of $28K USDC and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

Ten days after the competition ends, we will announce a winner list.
Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the Intuition Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions