New audit competition with HOPR! Up to 1 Million in $HOPR in prizes.

HatsFinance
7 min readOct 3, 2023

Starting October 5th, 2023, at 15:00 GMT to October 19th, 2023, at 16:00 GMT

Join our global hunt for HOPR! Spot the bug and win a juicy reward.

We welcome all experience levels; whether you are a seasoned security veteran or amateur, show us what you got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting October 5th, a new vault will open in the Hats dApp — “HOPR Audit competition”. Participants can check the contracts in scope and start searching for bugs.

About $HOPR

$HOPR is the native token of HOPR.
At the time of this article posting, it trades at $0.04 with a daily volume of $279,294.
Source: Coingecko

About HOPR

HOPR is a free and open-source privacy infrastructure for web3. Their network is a decentralized incentivized mixnet, ensuring complete data and metadata privacy for everyone who uses it. Data is sent via multiple hops, so no one but the sender and receiver know the origin, destination, or content of a data transfer.

HOPR’s unique proof-of-relay mechanism means every node runner is incentivized to correctly relay data in exchange for HOPR tokens. Anyone can run a HOPR node to earn HOPR tokens and contribute to online data privacy.

SafeStaking by HOPR is a new permissioning module for Safe that allows for tight control of monetary flows and permission management. A unique multi-key setup gives users full control over automating funding flows and strategy between secure multi-signature Safes and their running nodes. The goal is to significantly reduce assets at risk while minimizing the need for manual oversight.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server. All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards:

High Severity:

The total prize pool for High severities will be ~620K in $HOPR tokens.
The total High-severity reward will be divided between all accepted issues.
However, there is a max reward cap of ~310K in $HOPR token* for a single high submission; each new issue gets 1 point.

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Direct theft of any user funds, whether at rest or in motion
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

*The 10% service fee will be deducted from the reward

Medium Severity:

The total prize pool for Medium severities will be ~250K $HOPR tokens. Each new issue gets 1 point. The total Medium severity reward will be divided between all accepted issues.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples include:

  • Gas griefing attacks (make users overpay for gas)
  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible.
  • Short-term freezing of user funds.

Please note the following addition to the Medium Severity that is unique to HOPR:

  • In addition, any issues which lead to censorship of one of more nodes, purely through smart contract interactions

Examples of censorship include:

  • Preventing a node from sending or relaying messages
  • Rendering a node inactive
  • Removing a node from the network

*The 10% service fee will be deducted from the reward

Low severity:

The total prize pool for Low severities will be ~100k in $HOPR tokens. Each new issue gets 1 point. The total Low severity reward will be divided between all accepted issues.

Low severity vulnerability description:

  • Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

*The 10% service fee will be deducted from the reward

Gas Saving:

The total prize pool of Gas Saving severity will be ~30k in $HOPR tokens.

This competition will reward participants with ideas to maximize gas savings. The first place gets ⅔ (66.6%) of the prize pool, and the second place gets ⅓ (33.3%).

Submissions get classified on the basis of the average gas savings as reported by the gas reporter. The submission with the lowest average gas usage will win.

The guidelines are as follows:

* Changes should be limited to solidity files only. Tests should only be changed if they fail because of the changes in gas usage (e.g. tests that hardcode gas usage values).

* Optimizations should use Solidity (no inline assembly).

* All tests in the repository should pass.

* The score of the submission is the total average amount of gas used for each function (i.e., the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter when running the tests in the repository.

* Submitters are kindly asked to include this number in their report, and can adapt this script for doing so: https://github.com/hats-finance/hats-contracts/blob/develop/gas-avg-check.py

* Submissions should at least have a 5% improvement with respect to the original score.

-Due to the rules category, submissions will not be public and will only be shared with the committee.

Limitations

Reporters will not receive a bounty for:

Any known issue, such as

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to certain combinations of leaked private keys or trusted addresses (see the scope section for full details)
  • Issues/contracts mentioned in the out-of-scope section

Submission Guidelines — High/Medium/Low severities:

General information about the submission flow:

The Hats team will create a new repository called “HOPR Audit Competition” under the Hats.finance organization on GitHub. The repository will be forked by Hats bot on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.

How it works:

https://www.loom.com/share/d4d8076ebf414c44b1542cc73def06fa?start-embed-anon-signup=true

SUBMISSION GUIDELINES:

- Submissions should be made using our Dapp.

- You can submit one on-chain submission mentioning all issues found on the repo.

- All new submissions will be created on HOPR forked repo on Hats: https://github.com/hats-finance

Please send a plain ASCII description in the following format:

- [TITLE]: a short description of the issue.

- SEVERITY (either High, Medium or Low; see the rules)

- Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report template:

- Description: Describe the context and the effect of the vulnerability.

- Attack scenario: Describe how the vulnerability can be exploited.

- Attachment:

1) Proof of Concept (PoC) File: You must provide a file containing a proof of concept (PoC) that demonstrates the vulnerability you have discovered.

2) Revised Code File (Optional): If possible, please provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include the following information:

* Comment with a clear explanation of the proposed fix.

* The revised code with your suggested changes.

* Any additional comments or explanations that clarify how the fix addresses the vulnerability.

- Recommendation: Describe a patch or a potential fix for the vulnerability.

*Due to the nature of the audit competition mechanism, the report will not be encrypted, only gas-saving submissions are encrypted.

Evaluation of the submissions — Low/Medium/ High Severity

Each eligible bug submission receives 1 point in its severity category. Based on the number of eligible submissions, prize pools are divided.

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward)
  • The competition starts on September 4th at 15:00 GMT and ends on September 18th at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of 1 million in $HOPR and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 10% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the HOPR Audit Competition today and be a part of the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

--

--

HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.