Ion Protocol x Hats Finance: Audit Competition

Introduction

Starting Monday January 22nd, $40,000 has been allocated to the reward pool for our Audit Competition with Hats Finance. Security researchers and auditors of all experience levels are invited to participate in this competition. Let this be an opportunity for you to dive into Ion’s architecture before we go live and learn about the mechanisms we’ve designed! Join the Discord channel the Hats team has made for us to discuss any findings or questions with members from both teams and other security researchers and auditors.

Rules

The competition will begin on Monday, January 22nd, 2024 11:59 AM EST and run until February 5th, 2024 11:59 EST.

This competition will contain a variety of ways for you to participate. Security researchers can submit any issues, bugs, or code flaws they identify in our code on the Hat’s Finance dapp. You can submit one on-chain submission mentioning all issues found on the repo — a forked repo which will be provided by Hats Finance on behalf of Ion Protocol [https://github.com/hats-finance]. In addition, we’re also opening submissions for formal verification.

Here’s a brief tutorial!

We will not be distributing rewards for the following:

• Any known issues. This includes any issues mentioned in our audit docs or vulnerabilities that were already made public (either by Hats or by a third party).
• “Centralization risks” that are known and/or explicitly coded into the protocol.
• Attacks that require access to leaked private keys or trusted addresses.
• Issues that are not correctly submitted (via the Hats Finance dapp).

What we will be distributing rewards for:

• Low-severity issues (must be approved)
• Medium-severity issues (must be approved)
• High-severity issues (must be approved)

Vulnerability Issue Submission

The vulnerabilities found can generally be classified into three severity levels.

Low-Severity Issue Submission

Low-severity issues are those where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense) but don’t put funds at risk.

Medium-Severity Issue Submission

Medium-severity issues lead to an economic loss but do not lead to a direct loss of on-chain assets. These include gas griefing attacks, any attacks that make essential functionality of the contracts temporarily unusable or inaccessible, and anything that resorts in the short-term freezing of user funds.

High-Severity Issue Submission

High-severity issues lead to the loss of user funds. These include direct theft of any user funds (whether at rest or in motion), long-term freezing of user funds, theft or long-term freezing of unclaimed yield or other assets, and protocol insolvency.

These submissions are public and not encrypted, making them viewable from github. This is done intentionally since the competition is first come first serve, and we will be disregarding submissions of the same issue twice.

Formal Verification Submissions

Formal verification is a mathematical process used to prove or disprove the correctness of a smart contract’s algorithms, ensuring they behave as intended and are secure against vulnerabilities and errors. We’re giving researchers the opportunity to use the Certora Prover to find bugs and prove properties from a selection of predefined contracts set within the codebase. The best specs written for these contracts will be eligible for this severity prize pool.

The committee judging formal verification submissions will evaluate based on the coverage of the submitted specification. Coverage is determined using private mutations to the code. The private mutations will be made public after the reward calculation.

To access the Prover, sign up Here

Rewards

The reward pool will be split proportionally between:

• 75% of the total pool for vulnerability submissions
• 25% of the total pool for formal verification submissions

For vulnerability submissions, each submission will earn a specific amount of points based on the severity level of the vulnerability found. Points are capped at 1% of the total pool. So if the total number of points is greater than 75, then the dollar per point value gets diluted. If the number of points are less than 75, then the dollar per point value dilutes (75% of total rewards split amongst all accepted submissions according to each submission’s point allocation).

• low-severity: 1 point per submission
• medium-severity: 12 points per submission
• high-severity: 25 points per submission

For formal verification submissions, all the accepted submissions split the 25% based on Certoa’s severity ratings.

Prize Pool

Total Deposit: $50,000

UI Budget: $40,000 (which includes a 20% handling fee from the rewards)

Max Dollars Per Point: $400

Total Formal Verification Budget: $10,000

Conclusion

Join the Hats Finance Discord to stay up to date on the latest information regarding the audit competition.

In the meantime, try our testnet and become a member of our Discord to join the conversation on all things Ion, Staking and Restaking!