Open in app

Sign in

Write

Sign in

Inverter Network — Win up to 24K $UMA ( ~ 80K USD)

HatsFinance
7 min readJun 3, 2024

--

Inverter Network — rewards up to ~$79,200 worth in $UMA Tokens

From the 5th of June, 2024, at 15:00 GMT to 19th of June, 2024, at 15:00 GMT, all white hat hackers are invited to join the hunt on the Inverter Network audit competition on Hats Finance.

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you got! Prizes will be first come first serve, and given based on the severity level of each vulnerability found.

At the date of composing this article the price of UMA was 3.30$ — however please note that the value of the token may fluctuate with market conditions.

About the Competition

Starting the 5th of June, a new vault will open in the Hats dApp — “Inverter Network”. Participants can check the contracts in scope and start searching for bugs.

About Inverter Network
Inverter Network provides a modular infrastructure designed for programmable money flows. Its architecture ensures extendable and upgradable protocol capabilities, dynamic operability of business logic, and customizable token economies via admin panels, offering a comprehensive back-office solution. Due to a flexible and secure foundation through a standardized modular framework, projects can immediately add and modify functionalities without additional development or auditing costs.

Short overview of the audit scope:

[Sloc/Loc]
The competition code language is Solidity and the SLOC estimation for this competition is ~6500 SLOC.
[Chain]
To reduce transaction costs, we’re shifting our audits vault to Layer 2 networks. Specifically, this competition is hosted on Optimism for more efficient fee management.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

In the Inverter Network competition, two lead auditors will compete alongside the public audit competition. These lead auditors bear the responsibility of thoroughly reviewing all submitted code. They possess specialised labelling access, allowing them to support the sponsor by labelling other submissions with categories such as Low, Medium, High, Invalid, or Duplicated. However, they are prohibited from labelling their submissions and do not possess any other competitive advantages beyond this role.

Audit competition rewards

  • Deposited Amount: The deposited amount is ~30,000 in UMA, making the available prize pool ~24,000 in UMA.
  • Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
  • Severities: Low, Medium, High, Gas saving

Rewards and calculation
For our audit competition, the entire prize pool is up for grabs across all severity levels. Each severity level has a designated point value and a maximum payout cap.

Maximum Reward Caps per Submission:

  • Low Severity: $800 (equals 1 point)
  • Medium Severity: $9600 (equals 12 points)
  • High Severity: $19200 (equals 24 points)
  • Gas: $2400, $1200 (3 points, 1.5 points)

*For simplicity, there is a relation between the points and the cap. If the cap is ~$800 worth of UMA tokens, it equals the allocation of ~1% from the max reward per valid submission.

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 1 point each. This standard applies to medium and high severities as well.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Point Value = Prize Pool / Total Points*

*Awarded for the entire competition

Examples for Clarity:

The examples below are based on UMA tokens for easier understanding among parties.

Example #1:

  • 163 Low Severity: 163 points
  • 1 Medium Severity: 12 points
  • 1 High Severity: 24 points

Total points: 199

In this scenario:

  • Value of 1 Point = $79200/199 Total points = ~$397.98
    The rewards for this example will be as follows:
  • Low (163 points): ~$397.98 each
  • Medium (12 points): ~$4775.87 in total.
  • High (24 points): ~$9551.75 in total.

Example #2

  • 10 Low Severity: 10 points
  • 1 Medium: 12 points

Total points: 22

In this scenario:

  • Value of 1 Point = $79200/22 Total points = ~$3600
    The results exceed the max reward per low severity, so the value of a point is adjusted.
  • The rewards for this example will be as follows:
  • Low (10 points): ~$3600 each -> ~$800
  • Medium (12 points): ~$43200 -> ~$9600

Severities

High Severity

Issues that will qualify for this bracket will be assigned 24 points.

High-severity vulnerability description:

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Direct theft of any user funds, whether at rest or in motion
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

Medium Severity

Issues that will qualify for this bracket will be assigned 12 points.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

  • Gas griefing attacks (make users overpay for gas)
  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
  • Short-term freezing of user funds

Low severity

Issues that will be qualified for this bracket will be assigned with 1 point.

Low severity vulnerability description:

Issues where the behaviour of the contracts differs from the intended behaviour (as described in the docs and by common sense), but no funds are at risk.

Gas Saving:

The 1st place in the gas optimization category will get 3 points. The 2nd place in the gas optimization category will get 1.5 points.

This competition will reward participants with ideas to maximise gas savings.

Gas Saving Guidelines:

  • Submissions should be in the form of a link to a private copy of the repository.
  • The semantics of the code should not change — i.e., apart from changes in gas usage, the code’s behaviour should not change. In particular, the test suite should not be changed, and all tests should run.

To create the private copy of the repo:

  • Create a new empty private repo on GitHub
  • Click Import
  • Paste the public repo link
  • Optimizations should use solidity (no inline assembly)
  • Before submitting, please add @marvinkruse and @FHieser as collaborators to the private repo copy.
  • Gas savings will be judged based on total gas savings. This is measured as the total average amount of gas used for each function (i.e., the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter.
  • Submitters should add the total average gas cost in the description of their submission
  • For the convenience of submitters and judges, the repository contains a script that will run the tests and output the average amount of gas used: npm run gas-avg

Limitations

Reporters will not receive a bounty for any known issue, such as:

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses
  • Issues/contracts mentioned in the out-of-scope section

Submission Guidelines — High/Medium/Low severities:

General Information:

  • The Hats team will create a new repository called “[Inverter Network] audit competition” under the Hats.finance organisation on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
  • How it Works: Video Explanation

SUBMISSION GUIDELINES:

  • Submissions should be made using our Dapp (hats.finance)
  • You can submit one on-chain submission mentioning all issues found on the repo.
  • All new submissions will be created on Hats forked repo on Hats: Hats GitHub

Report Format:

  • Please send a plain ASCII description in the following format:
  • [TITLE]: A short description of the issue.
  • SEVERITY: Either High, Medium, or Low (as per the rules).
  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.
  • Report Template:
  • Description: Describe the context and the effect of the vulnerability.
  • Attack scenario: Describe how the vulnerability can be exploited.
  • Attachment:
  • Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
  • Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
  • Comment with a clear explanation of the proposed fix.
  • The revised code with suggested changes.
  • Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
  • Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.***

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
  • The competition starts on June 5th at 15:00 GMT and ends on June 19th at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of ~24000 UMA and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Approximately ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join Inverter Network Audit Competition today and participate in the movement to secure the future of Web3 and decentralised finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

Audit
Bounty Program
Security
Cybersecurity

--

--

HatsFinance
HatsFinance

Written by HatsFinance

477 Followers
5 Following

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams