Safe Deployment: Second Audit Competition for Vmex Finance

HatsFinance
5 min readJul 20, 2023

When it comes to security, you can never be too sure. This is why the VMEX team has set a new standard of multiple pre launch audits, aiming to educate us all on how to safely deploy code.

Over the past few months, the VMEX team has been working tirelessly around the clock, in preparation for their highly anticipated launch — an event you definitely don’t want to miss. After undergoing a rigorous audit process by the Yaduit audit firm, the VMEX team launched a successful audit competition on Hats to find hidden vulnerabilities. The competition was highly successful, with security experts discovering two high-risk vulnerabilities and many of low severity issues. With vulnerabilities addressed and the platform fortified, the team is confident in their launch. The VMEX team stands out in their security approach by initiating a second audit competition to further enhance the safety of their modified contracts.

The 2nd audit competition for VMEX contracts will begin on July 24th at 15:00 PM GMT +0000 and will last for seven days, ending on July 30th 2023, 15:00 PM GMT. The competition will focus high and Low-security vulnerabilities, with rewards of up to $46,500 and a $15,000 cap per issue. The competition welcomes all security researchers to participate and contribute to VMEX’s ongoing commitment to maintaining a high level of security.

Guidelines and rules:

HIGH SEVERITY:

The total prize pool for high severities will be approximately $45,000 USDC. The rewards for high-severity issues will be divided between all accepted submissions, with a maximum reward cap of $15,000 for a single high submission. Each new issue identified will receive 1 point.

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Lead to the loss of user funds.
  • Direct theft of any user funds, whether at rest or in motion
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

LOW SEVERITY :

The total prize pool for low severities will be approximately $1500 USDC. The rewards for low-severity issues will be divided between all accepted submissions. Each new issue identified will receive 1 point.

Vulnerabilities will be considered a low-risk vulnerability are Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Limitations

Reports will not receive a bounty for:

Any known issue, such as

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses

Submission Guidelines:

General information about the submission flow:

The Hats team will create a new repository called “Vmex Audit Competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.

How it works: https://www.loom.com/share/d4d8076ebf414c44b1542cc73def06fa?sid=9a56b75d-223e-4e2b-98d9-6f86344afa59

SUBMISSION GUIDELINES:

- Submissions should be made using our Dapp.
- You can submit one on-chain submission mentioning all issues found on the repo.
- All new submissions will be created on Vmex forked repo on Hats: https://github.com/hats-finance

Please send a plain ASCII description in the following format:
- [TITLE]: a short description of the issue.
- SEVERITY (either High, Medium or Low; see the rules)
- Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report template:
- Description: Describe the context and the effect of the vulnerability.
- Attack scenario: Describe how the vulnerability can be exploited.
- Attachment:
1) Proof of Concept (PoC) File: You must provide a file containing a proof of concept (PoC) that demonstrates the vulnerability you have discovered.

2) Revised Code File (Optional): If possible, please provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include the following information:
* Comment with a clear explanation of the proposed fix.
* The revised code with your suggested changes.
* Any additional comments or explanations that clarify how the fix addresses the vulnerability.

- Recommendation : Describe a patch or a potential fix for the vulnerability.

*Due to the nature of the audit competition mechanism, the report will not be encrypted.

Evaluation of Audit Competition

Each eligible bug submission receives 1 point in their severity category. Based on the number of eligible submissions, prize pools are divided.

Important note: A max reward cap of $15k for a single High severity submission. Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward)
  • The competition starts on July 24 at 15:00 GMT and ends on July 30 at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of $45K USDC and NFT rewards from our hacker collection will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 10% deduction from the payout will always be allocated as the service fee.

In the ever-evolving world of web3 technologies, security researchers play a vital role in ensuring the trust and confidence of users. Their efforts to identify and address vulnerabilities are crucial in paving the way for mass adoption and the success of decentralized finance. Recognizing the importance of their contributions, VMEX and Hats invites security researchers to participate in their exciting audit competition.

Stay tuned and check Hats dapp: https://app.hats.finance/vaults

--

--

HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.