VMEX Launches Audit Competition

Published On:

We are excited to announce our upcoming audit competition with HATS Finance. In this competition, participants worldwide will be searching for vulnerabilities in the VMEX’s codebase, with prizes awarded based on the severity of each vulnerability found. We’re excited to leverage HATS’ network of security researchers committed to developing a safer infrastructure for all users in the DeFi ecosystem.

The audit competition starts June 19, 2023, 18:00:00 GMT, and ends July 3, 2023, 18:00:00 GMT.

About the Competition

Starting June 19th, a new vault will open in the Hats dApp — “VMEX Finance Audit competition.” Participants can check the contracts in scope and start searching for bugs.

Submission Guidelines

Submissions should be made using the Dapp in the “VMEX audit competition” vault. You can submit one on-chain submission mentioning all issues found on the repo. Please send a plain ASCII following the following format:

[TITLE]: a short description of the issue.

SEVERITY (either High, Medium, or Low; see the rules)

  • Submission should contain at least one test demonstrating the problem and, if possible, a possible fix.

Report template:

Description - Describe the context and the effect of the vulnerability.

Attack scenario - Describe how the vulnerability can be exploited.

Attachment - Proof of Concept (PoC) File: You must provide a file containing a proof of concept (PoC) that demonstrates the vulnerability you have discovered.

Revised Code File (Optional): If possible, please provide a second file containing the revised code that offers a potential fix for the vulnerability. This file should include the following information:

  • Comment with a clear explanation of the proposed fix.
  • The revised code with your suggested changes.
  • Any additional comments or explanations that clarify how the fix addresses the vulnerability.

Recommendation - Describe a patch or a potential fix for the vulnerability.

  • Due to the native of the audit competition mechanism, the report will not be encrypted.

Evaluation Guidelines

45KallocatedforHighSeveritytaskswitha45K allocated for High Severity tasks - with a 15K cap for one high issue

$12K allocated for Medium Severity tasks

$1.5K allocated for Low Severity tasks

$1.5K allocated for Gas Savings tasks

  • The prize pools are divided based on the number of eligible submissions. For example, suppose there is one high-severity issue and four medium-severity issues. In that case, submitters of the medium-severity vulnerabilities will be awarded 4keach,andthesubmitterofthehighseverityvulnerabilitygets4k each, and the submitter of the high-severity vulnerability gets 15k
  • You can submit one on-chain submission mentioning all issues found on the repo. Please make sure you make separate issues on the repo
  • Participants submit one issue at a time in the Github repository
  • The first participant to submit an issue following guidelines gets a bounty for that issue (issues already received or out of scope will not receive a reward)
  • Issues that we are aware of (as witnessed by any open issues in the repository) will not be eligible for the bug bounty

Default severity description:

High severity description

Issues that lead to the loss of user funds, such issues include:

  • Direct theft of any user funds
  • Long-term freezing of user funds
  • Theft or long-term freezing of unclaimed yield or other assets
  • Protocol insolvency

Medium severity description:

Issues are issues that lead to an economic loss but do not lead to direct loss of on-chain assets. Examples are:

  • Gas griefing attacks (make users overpay for gas)
  • Attacks that make essential functionality of the contracts temporarily unusable or inaccessible
  • Short-term freezing of user funds

Low severity description:

Issues where the behavior of the contracts differs from the intended behavior (as described in the docs and by common sense), but no funds are at risk.

Reporters will not receive a bounty for any known issue, such as

  • Issues mentioned in any previous audit reports
  • Vulnerabilities that were already made public (either by HATs or by a third party)
  • “Centralization risks” that are known and/or explicitly coded into the protocol (e.g. an administrator can upgrade crucial contracts and steal all funds)
  • Attacks that require access to leaked private keys or trusted addresses
  • Issues that are not responsibly disclosed (issues should typically be reported through our platform)
  • Attacks related to incorrect data supplied by third-party oracles
  • Best practice critiques

Gas saving description:

This competition will reward participants with ideas to maximize gas savings.

The prize pool will reward $1.5k.

The guidelines are as follows:

  • Submissions should be forks of our repository, with the test suite unchanged
  • Optimizations should use solidity (no inline assembly)
  • Entries will be measured on the total average amount of gas used for each function (i.e. the sum of all numbers in the “avg” column), as reported by the hardhat-gas-reporter when running the tests in the repository

Closing Thoughts

The security and protection for users in the DeFi ecosystem is a top priority for VMEX, and the opportunity for collaboration with HATS Finance offers a great way for our community to contribute towards the development of a safer, more secure environment for DeFi users across the industry.

We'll share important updates on our Twitter and Discord throughout the audit competition. Stay tuned for more details.

Volatile Labs © 2023

DOCSBLOGAPP