Kleros audit competition- rewards up to $80,000 in $USDC

Starting September 23th, 2025, at 15:00 GMT to October 3th, 2025, at 15:00 GMT

We invite all white hat hackers to join the hunt on Kleros audit competition

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting September 23rd, 2025, a new vault will open in the Hats dApp — “Cross-chain Realitio Proxy” audit competition. Participants can check the scope of the contracts and start searching for bugs.

Kleros Oracle is a product that combines Kleros’s dispute resolution system with Reality. Ethereum’s cryptoeconomic mechanism for verifying real-world events on-chain. This allows to deliver a subjective oracle solution able to answer absolutely any question with a publicly verifiable answer. It falls under the category of optimistic oracle solutions, allowing dApps to very quickly arrive at answers or information unless there is a dispute. These contracts cover the “arbitrator” role under the Reality app.

Into the competition:

The competition code language is Solidity, and the SLOC estimation for this competition is ~3870 SLOC.

In this competition, the submission will be on the Arbitrum chain, meaning you will need ETH to submit reports.

**Important Notice**

This is not a complete audit cycle model. All auditors are required to provide a Proof of Concept) and a fix along with their report. Please make sure to read and follow the rules carefully.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards

• Deposited Amount: The deposited amount is $100,000 USDC, making the available prize pool $80,000in $USDC.
• Hats gov fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
• Severities: Low, Medium, High and High Quality Report

Rewards and calculation
For our audit competition, the entire prize pool is up for grabs across all severity levels. Each severity level has a designated point value and a maximum payout cap.

Maximum Reward Caps per Submission:

• Low Severity Max: $800 (equals 1 point)
• Medium Severity Max: $16,000 (equals 20 points)
• High Severity Max: $32,000 (equals 40 points)
• High Quality Report Max: $800 (equals 1 point)

*For simplicity, there is a relation between the points and the cap. If the point cap is $800 USDC, it equals 1% of the maximum rewards allocation.

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 1 point each. This standard applies to medium and high severities as well.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Point Value = Prize Pool / Total Points*

*Awarded for the entire competition

Examples for Clarity:

Example #1:

• 100 Low Severity: 100 points
• 3 Medium Severity: 60 points
• 1 High Severity: 40 points

Total points: 200

In this scenario:

• Value of 1 Point = $80,000/200 = $400
  The rewards for this example will be as follows:
• 100 Low (100 points): $400 per 1 Low.
• 3 Medium (60 points): $8000 per 1 Medium.
• 1 High (40 points): ~$16,000 per 1 High.

Example #2

• 10 Low Severity: 10 points
• 1 Medium: 20 points

Total points: 30

In this scenario:

• Value of 1 Point = $80,000/30 Total points = ~$2,666
• The results exceed the max reward per severity, so the value of a point is adjusted to the max cap.
• The rewards for this example will be as follows:
• 10 Low (10 points): $800 each low
• 1 Medium (20 points): $16,000

Severities

High Severity

Issues that will qualify for this bracket will be assigned 40 points.

High-severity vulnerability description:

Issues that allow to break the dispute flow of most disputes or take control over the proxy:

• Issues allowing to permanently block the possibility to answer most reality questions even with a presence of a good actor (bot/user).
• Issues allowing to permanently block creating most disputes or appealing for most of the reality questions even with a presence of a good actor (bot/user).
• Issues allowing to steal most users’ deposits while creating or executing a dispute ruling.
• Issues allowing to change the arbitrator of most disputes.
• Issues where attackers can alter the ruling of most disputes or alter most of the bridged data between the reality.eth proxies.

Medium Severity

Issues that will qualify for this bracket will be assigned 20 points.

Medium severity vulnerability description:

Issues which can arise in specific cases that allow to break one or a small amount of disputes or questions on the proxy:

• Issues allowing to permanently block the possibility to answer a specific reality question even with a presence of a good actor (bot/user).
• Issues allowing to permanently block creating a dispute or appealing on a small amount of disputes for the reality questions even with a presence of a good actor (bot/user).
• Issues allowing to steal a user deposit while creating or executing a dispute ruling.
• Issues allowing to change the arbitrator on a dispute.

Low severity

Issues that will be qualified for this bracket will be assigned with 1 point.

Low severity vulnerability description:

• Issues where the behavior of the contracts differs from the intended behaviour (as described in the comments and by common sense), but no funds are at risk and no questions/disputes are blocked.

High Quality Report

REPORT QUALITY BONUS: When a valid report is of high quality, 1 bonus point will be attributed. A report is considered of high quality if:

• The underlying issue is well explained.
• The impact is well explained.
• The list of calls to reproduce the issue is given (tests or even just stating it in the report).
• The severity classification is correct.

Eligibility to the quality bonus is arbitrarily determined by the sponsor and not subject to disputes.

Submission Guidelines — High/Medium/Low severities:

General Information:

• The Hats team will create a new repository called “Cross chain Realitio Proxy audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.

SUBMISSION GUIDELINES:

• Submissions should be made using our Dapp.
• You can submit one on-chain submission mentioning all issues found on the repo.
• All new submissions will be created on Hats forked repo on Hats: Hats GitHub
• Report Format:
• Please send a plain ASCII description in the following format:
• [TITLE]: A short description of the issue.
• SEVERITY: Either High, Medium, or Low (as per the rules).
• Submission should contain at least one test demonstrating the problem and, if possible, a possible fix
• Please check the box “PoC is not applicable” if you can’t add PoC.
• Report Template:
• Description: Describe the context and the effect of the vulnerability.
• Attack scenario: Describe how the vulnerability can be exploited.
• Attachment:
• Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) demonstrating the vulnerability.
• Revised Code File (Optional): Provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
• Comment with a clear explanation of the proposed fix.
• The revised code with suggested changes.
• Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
• Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.***

Evaluation:

• The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
• The competition starts on September 23rd at 15:00 GMT and ends on October 3rd at 15:00 GMT.
• Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of $80,000 USDC will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

• Ten days after the competition ends, we will announce a winner's list.
• Alongside the winner announcement post, submitters can send a dispute to the committee team within three days and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
• Between 7–14 days after the announcement, we will publish a split contract where the winners can claim rewards.
• HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the Kleros — Cross Chain Realitio Proxies Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions