Thorn protocol audit competition- rewards up to ~389,600 in $ROSE token ( ~$30K USD)

HatsFinance
8 min readOct 1, 2024

--

Starting October 3rd, 2024, at 15:00 GMT to October 17th, 2024, at 15:00 GMT.

We invite all white hat hackers to join the hunt on Thorn protocol audit competition.

All experience levels are welcome; whether you are a seasoned security veteran or an amateur, show us what you've got! Prizes will be given based on the severity level of each vulnerability found.

About the Competition

Starting October 3rd, 2024, a new vault will open in the Hats dApp — Thorn protocol audit competition. Participants can check the scope of the contracts and start searching for bugs.

Thorn is the first confidential StableSwap powered by Oasis Sapphire. Currently in its testnet phase, Thorn enables efficient trading between a wide range of similarly priced assets, such as stablecoins as well as liquid staking tokens/native token pairings. With a distinct focus on cross-chain trading, Thorn leverages Sapphire’s privacy protocols to bring enhanced privacy and security to the wider EVM ecosystem.

Into the competition:

The competition code language is Solidity, with approximately 2350 nsloc.

This competition is part of the Oasis Network Audit Grant Initiative, a 1 million $ROSE pool hosted on the Sapphire chain, dedicated to secondary audits and bug bounties for projects within the Oasis ecosystem. This initiative ensures that no vulnerabilities remain before going to production, addressing any significant flaws missed in prior audits.

We’re shifting our tx submissions to Layer 2 networks to reduce transaction costs. In this competition, the submission will be on Sapphire chain, which means you will need a $ROSE tokens to submit reports.

In the Thorn protocol competition, a lead auditor will compete alongside the public audit competition. The lead auditor is responsible for thoroughly reviewing all submitted code and more. He will possess special labeling access, allowing him to support the sponsor by labeling other submissions with categories such as Low, Medium, High, Invalid, or Duplicated, all with the Lead auditor mark. However, they are prohibited from labeling their submissions and do not possess any other competitive advantages beyond this role. It’s important to mention that the final call on the labeling will always be with the sponsor.

Stay up-to-date with the competition, chat with the team, and get your questions answered by joining the dedicated Discord channel on the Hats server.
All audit reports will be published in our Discord on the day of the competition. Don’t miss the latest updates and insights — join now and be the first to know!

Winners of this competition will need to undergo a KYC process due to Oasis Network Foundation’s legal requirements. Please find the full KYC disclaimer below for further information.

Audit competition rewards

  • Deposited Amount: The deposited amount is ~487,000 in $ROSE, making the available prize pool ~389,600 in $ROSE (~30K USD)
  • Service Fee: All rewards mentioned in this article and on the Hats dApp UI have already deducted a 20% Hats service fee.
  • Severities: Low, Medium, High.

Rewards and calculation
For our audit competition, the entire prize pool is up for grabs across all severity levels. Each severity level has a designated point value and a maximum payout cap.
* The calculation below uses the $ROSE token price from CoinMarketCap.

Maximum Reward Caps per Submission:

  • Low Severity: $500/ ~6,516 $ROSE (equals 1 point)
  • Medium Severity: $6000/~78,196 $ROSE (equals 12 points)
  • High Severity: $12,000/~156,392 $ROSE (equals 24 points)

*For simplicity, there is a relation between the points and the cap. If the point cap is $500 worth of $ROSE tokens, it equals 1.66% of the maximum rewards allocation.

Points are consistently awarded within the same severity level unless the committee decides to adjust this. For instance, both the first and second low-severity findings will earn 1 point each. This standard applies to medium and high severities as well.

Calculating the Winner’s Reward:

The formula for a winner’s reward is as follows:

Point Value = Prize Pool / Total Points*

*Awarded for the entire competition

Examples for Clarity:

Example #1:

  • 200 Low Severity: 200 points
  • 1 Medium Severity: 12 points
  • 1 High Severity: 24 points

Total points: 228

In this scenario:

  • Value of 1 Point = $30,000/236 Total points = ~$127
    The rewards for this example will be as follows:
  • Low (200 points): ~$127 each
  • Medium (12 points): ~$1,524 in total.
  • High (24 points): $3,048 in total.

Example #2

  • 10 Low Severity: 10 points
  • 1 Medium: 12 points

Total points: 22

In this scenario:

  • Value of 1 Point = $30,000/22 Total points = ~$1,364
    The results exceed the max reward per low severity, so the value of a point is adjusted.
  • The rewards for this example will be as follows:
  • Low (10 points): ~$1,364 each -> $500
  • Medium (12 points): $ -> $32,736 -> $6000

Severities

High Severity

Issues that will qualify for this bracket will be assigned 24 points.

High-severity vulnerability description:

For a submission to be considered a HIGH-risk vulnerability, issues must:

  • Direct theft of any user funds, whether at rest or in motion
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

Medium Severity

Issues that will qualify for this bracket will be assigned 12 points.

Medium severity vulnerability description:

Issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

  • Gas griefing attacks (make users overpay for gas)
  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
  • Short-term freezing of user funds

Low severity

Issues that will be qualified for this bracket will be assigned with 1 point.

Low severity vulnerability description:

  • Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Submission Guidelines — High/Medium/Low severities:

General Information:

  • The Hats team will create a new repository called “Thorn protocol audit competition” under the Hats.finance organization on GitHub. The repository will be kept private until the competition starts. Hats bot will fork it on the first submission. To participate, security researchers must submit their findings on-chain, and an automatic GitHub issue will be generated in the forked repository.
  • How it Works: Video Explanation

SUBMISSION GUIDELINES:

  • Submissions should be made using our Dapp.
  • You can submit one on-chain submission mentioning all issues found on the repo.
  • All new submissions will be created on Hats forked repo on Hats: Hats GitHub

Report Format:

  • Please send a plain ASCII description in the following format:
  • [TITLE]: A short description of the issue.
  • SEVERITY: Either High, Medium, or Low (as per the rules).
  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report Template:

  • Description: Describe the context and the effect of the vulnerability.
  • Attack scenario: Describe how the vulnerability can be exploited.

Attachment:

  • Proof of Concept (PoC) File: Provide a file containing a proof of concept (PoC) demonstrating the vulnerability.
  • Revised Code File (Optional): Provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include:
  • Comment with a clear explanation of the proposed fix.
  • The revised code with suggested changes.
  • Add any additional comments or explanations clarifying how the fix addresses the vulnerability.
  • Recommendation: Describe a patch or potential fix for the vulnerability.

***Due to the nature of the audit competition mechanism, the report will not be encrypted.***

Evaluation:

  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward).
  • The competition starts on October 3rd at 15:00 GMT and ends on October 17th at 15:00 GMT.
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty.

Compensation and Impact

A prize pool of ~$30K worth of $ROSE token will be distributed among security researchers who submit eligible vulnerability disclosures.

Compensation payment timeline:

  • Ten days after the competition ends, we will announce a winner list.
  • Alongside the winner announcement post, submitters can send a dispute to the committee team within three days and request clarification. They can also involve the Hats security team in the process. The goal is to facilitate honest and professional debate regarding disputed submissions.
  • Between 7–14 days after the announcement, we will publish a split contract where the winners can claim rewards.
  • HATS Service Fee: A 20% deduction from the payout will always be allocated as the service fee.

Security researchers play a crucial role in fostering trust and confidence in Web3 technologies, paving the way for mass adoption. By participating in this competition, security researchers can gain recognition for their work, raise their profile, and make valuable connections in the Web3 security ecosystem. Ultimately, they can contribute to creating a more secure and equitable community.

Join the Thorn Protocol Audit Competition today and participate in the movement to secure the future of Web3 and decentralized finance. Check the Hats Finance dApp for more information and in-scope contracts.

Stay tuned and check Hats dApp:https://app.hats.finance/audit-competitions

KYC and AML Disclaimer for Thorn Protocol Audit Competition

Eligibility for prizes is subject to compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) policies as outlined below.

Prize Disbursements and KYC Requirements

For Prizes Under $1.000: For Prizes Under $1,000: Participants who receive a prize less than $1,000 must disclose their full legal name, physical address, and wallet address to privacy@oasisprotocol.org. This information is necessary for the disbursement of the prize and for basic identity verification purposes.

For Prizes of $1.000 or More: Participants who receive a prize amount of $1,000 or more are subject to a full KYC process. This process will be conducted by the Oasis Network Foundation (or a designated third-party service provider). Participants will be required to provide additional identification documentation, which may include but is not limited to a government-issued photo ID, proof of address, wallet address and email address. Participants agree to comply with reasonable requests on KYC and acknowledge and understand that failure to complete the KYC process may result in the forfeiture of the prize.

Data Use and Privacy Disclaimer

By participating in the Competition, you agree to our collection, use, and sharing of your personal information as described in this disclaimer. The information collected during the KYC process is used solely for the purposes of identity verification, compliance with AML regulations, and prize disbursement. The Oasis Network Foundation is committed to protecting your privacy and will take appropriate measures to ensure the security of your personal information.

Your data may be shared with regulatory authorities and law enforcement agencies if required by law or if necessary for the prevention of fraud and other illegal activities. Except as described herein or in our Privacy Policy, your personal information will not be shared with third parties without your consent.

Please note that participation in the Competition is voluntary. By submitting your information and participating, you acknowledge and agree to these terms.

Winners will be provided with email addresses to submit their KYC details at the end of the competition.

*AStar Technologies is the company acting for and on behalf of the Oasis Network/Oasis Protocol Foundation.

--

--

HatsFinance
HatsFinance

Written by HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.