Seer-PM Audit Rewards Up to $100K in USDC

HatsFinance
7 min readSep 24, 2024

--

September 25th, 2024, at 15:00 GMT to October 3rd, 2024, at 15:00 GMT.

All white hat hackers at all experience levels are invited to join the audit competition. Whether you are a seasoned security veteran or an amateur, demonstrate your skills to earn USDC! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting September 25th, a new vault will open in the Hats dApp — the “SeeR-PM” audit competition. Participants can check the contracts in scope and start searching for bugs.

About Seer-PM

Seer-PM is the next level prediction market offering traders more options with permissionless market creation and Kleros Court for dispute arbitration. Traders can invest yield-bearing tokens for long-term investments or trade their outcome tokens on other markets. Seer-PM uses the Gnosis conditional token framework allowing for deeper price discovery through contingent markets dependent on other market outcomes.

The competition code language is Solidity and the SLOC estimation for this competition is ~1310 SLOC. This competition is hosted on Ethereum mainnet, tx fees will be under this chain.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server. All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

Audit competition rewards

  • Deposited Amount: The deposited amount is ~$125K in USDC, making the available prize pool ~$100K in USDC.
  • Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
  • Severities: Low, Medium, High.

For our audit competition, the entire prize pool is up for grabs across all severity levels. Each severity level has a designated point value and a maximum payout cap per submission:

  • Low Severity: 500 USDC (equals 1 point)
  • Medium Severity: 10,000 USDC (equals 20 points)
  • High Severity: 30,000 USDC (equals 60 points)

*For simplicity, there is a relation between the points and the cap. If the cap for 1 point is 500 USDC it equals to the allocation of 0.5% from the max rewards pool.

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 1 point each. This standard applies to medium and high severities as well.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Point Value = Prize Pool / Total Points*

  • Awarded for the entire competition

Examples for Clarity:

Example #1:

  • 100 Low Severity: 100 points
  • 4 Medium Severity: 80 points
  • 2 High Severity: 120 points

Total points: 260

In this scenario:

  • Value of 1 Point =100,000 USDC/300 Total points = ~$333.33 USDC
    The rewards for this example will be as follows:
  • Low (100 points): ~$333.33 each
  • Medium (80 points): ~$6,666.66 per each valid Medium.
  • High (120 points): ~$19,999.98 per each valid High.

Example #2

  • 10 Low Severity: 10 points
  • 1 Medium: 20 points

Total points: 22

In this scenario:

  • Value of 1 Point = 100,000 USDC/22 Total points = ~$4,545.45 USDC
    The results exceed the max reward per low severity, so the value of a point is adjusted.
  • The rewards for this example will be as follows:
  • Low (10 points): ~$4,545.45 each -> $500
  • Medium (20 points): ~$90,909.09-> $10,000

Severities

High Severity

Issues that will qualify for this bracket will be assigned 60 points.

High-severity vulnerability description:

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Direct theft of a significant amount of user funds, whether at rest or in motion (ex: redeeming tokens who belong to another user, making the wrong outcome redeem, inverting the amount of tokens redeemed for LOW and HIGH tokens in a scalar market).
  • Long-term freezing of user funds (ex: preventing a market to resolve for 100 years).
  • Significant protocol insolvency (ex: letting users redeem more assets than they should such that the last users are unable to redeem).

Medium Severity

Issues that will qualify for this bracket will be assigned 20 points.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to significant loss of on-chain assets. Examples are:

  • Attacks that make essential functionality of the contracts unusable or inaccessible (ex: make the router inoperable requiring a new router deployment or users to call functions individually to redeem, repeatedly prevent the creation of a market) without putting funds at risk.
  • Small, but non negligible issues in redemption calculation (ex: instead of redeeming LOW for 0.10 and HIGH for 0.90, redeem LOW for 0.11 and HIGH for 0.89).
  • Short-term freezing of user funds (ex: adding a month before users can redeem).

Low severity

Issues that will be qualified for this bracket will be assigned with 1 point.

Low severity vulnerability description:

  • Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

High report quality bonus

When a valid report is of high quality, 1 bonus point will be attributed.

A report is considered of high quality if:

  • The underlying issue is well explained.
  • The impact is well explained.
  • The list of calls to reproduce the issue is given (tests or even just stating it in the report).
  • The severity classification is correct.

Eligibility to the quality bonus is arbitrarily determined by the sponsor and not subject to disputes.

Limitations

Reporters will not receive a bounty for any known issue, such as:

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses
  • Issues/contracts mentioned in the out-of-scope section

Submission Guidelines — High/Medium/Low severities:

General Information:

  • The Hats team will create a new repository called “Seer -PM audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
  • How it Works: Video Explanation

SUBMISSION GUIDELINES:

  • Submissions should be made using our Dapp.
  • You can submit one on-chain submission mentioning all issues found on the repo.
  • All new submissions will be created on Hats forked repo on Hats: Hats GitHub
  • Report Format:
  • Please send a plain ASCII description in the following format:
  • [TITLE]: A short description of the issue.
  • SEVERITY: Either High, Medium, or Low (as per the rules).
  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.
  • Report Template:
  • Description: Describe the context and the effect of the vulnerability.
  • Attack scenario: Describe how the vulnerability can be exploited.
  • Attachment:
  • Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) that demonstrates the vulnerability.
  • Revised Code File (Optional): If possible, provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
  • Comment with a clear explanation of the proposed fix.
  • The revised code with suggested changes.
  • Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
  • Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
  • The competition starts on September 25th at 15:00 GMT and ends on October 3rd at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of ~$100K USDC will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send disputes to the committee team and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim their rewards.
  • HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join Seer PM Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

--

--

HatsFinance
HatsFinance

Written by HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.