Lodestar Finance Audit Competition

Compete for Prizes and NFT Rewards While Hunting for Vulnerabilities in Lodestar Finance Contracts

HatsFinance
5 min readMar 9, 2023

Get ready for a new audit competition coming to Hats Finance!

Starting March 8, 2023, 18:00:00 GMT to March 22, 2023, 18:00:00 GMT.

In this competition, participants from all over the world will be searching for vulnerabilities in the Lodestar Finance contract directory, with prizes awarded based on the severity of each vulnerability found. The competition is open to everyone, from seasoned veterans to newcomers, providing a perfect opportunity to showcase your passion and skills in the web3 security ecosystem.

About the Competition

Starting March 8, a new vault will be open in the Hats dApp — “Lodestar Finance Audit competition”, and participants will search for bugs in the Lodestar Finance contracts.

Lodestar Finance is a critical DeFi primitive for decentralized money markets that runs on Arbitrum. While they have already completed an audit of their contracts before deployment, they recognize the importance of continued diligence, and they have joined Hats Finance for further smart contract examination.

Stay up-to-date on the Lodster Finance Audit Competition by joining the dedicated Discord channel on the Hats server, where all audit reports will be published on the day of the competition. Don’t miss out on the latest updates and insights — join now and be the first to know!

Audit competition rewards:

High Severity:

The total prize pool of High severity will be ~$21K USDC, 60% of the vault.

For a submission to be considered a HIGH-risk vulnerability, it requires issues that put user’s funds at risk (ex: an attacker can steal funds from a vault, or users are not able to withdraw their tokens). Each new issue gets 1 point. The total High severity reward will be divided between all accepted issues.

Medium Severity:

The total prize pool of Medium severity will be ~$10.5K USDC, 30% of the vault content.

For a submission to be considered MEDIUM risk vulnerability, it requires issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense). Each new issue gets 1 point. The total Medium severity reward will be divided between all accepted issues.

Gas Saving:

The total prize pool of Gas Saving severity will be ~$3.5K USDC.

The gas-saving prize pool will be shared between the first place, who will get ⅔ of the prize pool, and the second place, who will get ⅓ of the gas-saving pool.

Evaluation of Audit Competition

Each eligible bug submission receives 1 point in their severity category. Based on the number of eligible submissions, prize pools are divided. For example, if there is 1 high-severity issue and 3 medium-severity issues, then submitters of the medium-severity vulnerabilities will be awarded $3.5K each and the submitter of the high-severity vulnerability gets $21k.

You can submit one on-chain submission mentioning all issues found on the repo. Please make sure you make separate issues on the repo.

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward)
  • Participants submit one issue at a time in the repo
  • The competition starts on March 8 at 18:00 GMT and ends on March 22 at 18:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Submission Guidelines — High/Medium severities:

- Submissions should be made using our Dapp in the “Lodestar Finance audit competition” vault.

- Please send a plain ASCII file following the below format:

TITLE (short description of the issue)

SEVERITY (either high or medium, see the rules)

A LINK TO THE GITHUB ISSUE

- A concise GitHub issue describing the problem should be created in the respected project repository using the “SubmissionAuditCompetition” label.

Submission should contain a PR (linked to the issue) with at least one test demonstrating the problem and, if possible, a possible fix.

- The title should match the title of the on-chain submission in the Dapp.

How to submit the Bug reports in the Lodestar Finance Github:

• The issue should describe the problem concisely. Use the following format to describe the vulnerability:

### Title

A 4–5 short words describing the vulnerability

### Affected smart contract

The file name of the affected smart contract.

Permalink to the root cause code within the smart contract where the vulnerability can be attributed.

### Description

Describe the context and the effect of the vulnerability.

### Attack scenario

Describe how the vulnerability can be exploited.

### Recommendation

Describe a patch or a potential fix for the vulnerability.

— — — — — — — — — — — — — —

• Create a PR that contains at least one test demonstrating the problem and, if possible, a potential fix and link it to the above issue.

Refer to this video for more information on the on-chain submission:

https://www.youtube.com/watch?v=c_jR1Iwp7nE

Gas savings

This competition will reward participants with ideas to maximize gas savings. The gas-saving prize pool will be shared between the first place, who will get 2/3, and the second place, who will get 1/3 of the gas-saving pool.

The time of the submission is not a factor in determining the winner of this severity. Submitters should add the total average gas cost of their submission.

The guidelines are as follows:

- Submissions should be forks of our repository, with the test suite unchanged.

- Optimizations should use solidity (no inline assembly)

- Entries will be measured on the total average amount of gas used for each function (i.e., the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter when running the tests in the repository.

Compensation and Impact

A prize pool of $35K USDC and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Security researchers play a crucial role in fostering trust and confidence in web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the Lodestar Finance Audit Competition today and be a part of the movement to secure the future of web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

The competition starts on March 8, 2023, at 12:00:00 GMT, and ends on March 22, 2023, at 17:00:00 GMT.

Check the Lodestar finance Audit Competition at https://app.hats.finance/vaults

--

--

HatsFinance
HatsFinance

Written by HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.

No responses yet