Starting Monday January 22nd, $40,000 has been allocated to the reward pool for our Audit Competition with Hats Finance. Security researchers and auditors of all experience levels are invited to participate in this competition. Let this be an opportunity for you to dive into Ion’s architecture before we go live and learn about the mechanisms we’ve designed! Join the Discord channel the Hats team has made for us to discuss any findings or questions with members from both teams and other security researchers and auditors.
The competition will begin on Monday, January 22nd, 2024 11:59 AM EST and run until February 5th, 2024 11:59 EST.
This competition will contain a variety of ways for you to participate. Security researchers can submit any issues, bugs, or code flaws they identify in our code on the Hat’s Finance dapp. You can submit one on-chain submission mentioning all issues found on the repo — a forked repo which will be provided by Hats Finance on behalf of Ion Protocol [https://github.com/hats-finance]. In addition, we’re also opening submissions for formal verification.
Here’s a brief tutorial!
We will not be distributing rewards for the following:
What we will be distributing rewards for:
The vulnerabilities found can generally be classified into three severity levels.
Low-severity issues are those where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense) but don’t put funds at risk.
Medium-severity issues lead to an economic loss but do not lead to a direct loss of on-chain assets. These include gas griefing attacks, any attacks that make essential functionality of the contracts temporarily unusable or inaccessible, and anything that resorts in the short-term freezing of user funds.
High-severity issues lead to the loss of user funds. These include direct theft of any user funds (whether at rest or in motion), long-term freezing of user funds, theft or long-term freezing of unclaimed yield or other assets, and protocol insolvency.
These submissions are public and not encrypted, making them viewable from github. This is done intentionally since the competition is first come first serve, and we will be disregarding submissions of the same issue twice.
Formal verification is a mathematical process used to prove or disprove the correctness of a smart contract’s algorithms, ensuring they behave as intended and are secure against vulnerabilities and errors. We’re giving researchers the opportunity to use the Certora Prover to find bugs and prove properties from a selection of predefined contracts set within the codebase. The best specs written for these contracts will be eligible for this severity prize pool.
The committee judging formal verification submissions will evaluate based on the coverage of the submitted specification. Coverage is determined using private mutations to the code. The private mutations will be made public after the reward calculation.
To access the Prover, sign up Here
The reward pool will be split proportionally between:
For vulnerability submissions, each submission will earn a specific amount of points based on the severity level of the vulnerability found. Points are capped at 1% of the total pool. So if the total number of points is greater than 75, then the dollar per point value gets diluted. If the number of points are less than 75, then the dollar per point value dilutes (75% of total rewards split amongst all accepted submissions according to each submission’s point allocation).
For formal verification submissions, all the accepted submissions split the 25% based on Certoa’s severity ratings.
Total Deposit: $50,000
UI Budget: $40,000 (which includes a 20% handling fee from the rewards)
Max Dollars Per Point: $400
Total Formal Verification Budget: $10,000
Join the Hats Finance Discord to stay up to date on the latest information regarding the audit competition.