forked from hats-finance/hats-contracts
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
929a3eb
commit 26f2a39
Showing
1 changed file
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # **HATs Arbitration Contracts Audit Competition on Hats.finance** | ||
|
|
||
|
|
||
| ## Introduction to Hats.finance | ||
|
|
||
|
|
||
| Hats.finance builds autonomous security infrastructure for integration with major DeFi protocols to secure users' assets. | ||
| It aims to be the decentralized choice for Web3 security, offering proactive security mechanisms like decentralized audit competitions and bug bounties. | ||
| The protocol facilitates audit competitions to quickly secure smart contracts by having auditors compete, thereby reducing auditing costs and accelerating submissions. | ||
| This aligns with their mission of fostering a robust, secure, and scalable Web3 ecosystem through decentralized security solutions. | ||
|
|
||
| ## About Hats Audit Competition | ||
|
|
||
|
|
||
| Hats Audit Competitions offer a unique and decentralized approach to enhancing the security of web3 projects. Leveraging the large collective expertise of hundreds of skilled auditors, these competitions foster a proactive bug hunting environment to fortify projects before their launch. Unlike traditional security assessments, Hats Audit Competitions operate on a time-based and results-driven model, ensuring that only successful auditors are rewarded for their contributions. This pay-for-results ethos not only allocates budgets more efficiently by paying exclusively for identified vulnerabilities but also retains funds if no issues are discovered. With a streamlined evaluation process, Hats prioritizes quality over quantity by rewarding the first submitter of a vulnerability, thus eliminating duplicate efforts and attracting top talent in web3 auditing. The process embodies Hats Finance's commitment to reducing fees, maintaining project control, and promoting high-quality security assessments, setting a new standard for decentralized security in the web3 space. | ||
|
|
||
| ## HATs Arbitration Contracts Overview | ||
|
|
||
| We turn black hat hackers into white hat hackers using the right incentives. Creating the future of security on _EVM | ||
|
|
||
| ## Competition Details | ||
|
|
||
|
|
||
| - Type: A public audit competition hosted by HATs Arbitration Contracts | ||
| - Duration: 2 weeks | ||
| - Maximum Reward: $28,000 | ||
| - Submissions: 74 | ||
| - Total Payout: $24,900.4 distributed among 8 participants. | ||
|
|
||
| ## Scope of Audit | ||
|
|
||
| The scope of the competition includes all the contracts that make up the HATs system, but we are specifically interested in the changes made since v2.0. | ||
|
|
||
| There are a number of changes since our last release: | ||
|
|
||
| - We added an arbitration procedure: if there is any kind of dispute about the payout, the decision can be escalated to an Expert Committee, and if that committee cannot find consensus, to the Kleros court. The intended behavior of that system is documented here: https://github.com/hats-finance/hats-contracts/blob/audit/docs/claims.md | ||
| - The functionality of the main contract, HATVault.sol, was split into two new files (HATVault.sol and HATClaimsManager.sol) | ||
| - We added some helper contracts, such as the PaymentSplitter.sol | ||
|
|
||
| The contracts that are currently in use, v2.0, can be found here https://github.com/hats-finance/hats-contracts/tree/v2.0. | ||
|
|
||
|
|
||
| In this competition, we are interested in the usual programming errors, but we are also interested in any scenarios in which the arbitration procedure can be abused or hijacked. (For such attacks, it is the behavior that is implemented that serves as a reference - pointing out mistakes in documentation is appreciated, but will not be rewarded). | ||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
|
|
||
| ## Conclusion | ||
|
|
||
| The audit report highlights Hats.finance's efforts in securing DeFi protocols via decentralized audit competitions, a proactive approach that leverages the expertise of a wide range of auditors to identify and address vulnerabilities before project launches. Hats Audit Competitions prioritize quality and efficiency, rewarding auditors only for successful vulnerability identifications and encouraging top-tier talent participation. The recent audit competition focused on the HATs system's updates since version 2.0, particularly the new arbitration procedure aimed at resolving payout disputes through an Expert Committee and potentially the Kleros court. The competition, lasting two weeks, garnered 74 submissions and distributed $24,900.4 among eight participants. Critical changes included splitting the HATVault.sol contract and adding helper contracts like PaymentSplitter.sol. The audit emphasized detecting programming errors and potential abuses of the arbitration process, embodying Hats.finance's commitment to robust, cost-effective security measures in the web3 space. | ||
|
|
||
| ## Disclaimer | ||
|
|
||
|
|
||
| This report does not assert that the audited contracts are completely secure. Continuous review and comprehensive testing are advised before deploying critical smart contracts. | ||
|
|
||
|
|
||
| The HATs Arbitration Contracts audit competition illustrates the collaborative effort in identifying and rectifying potential vulnerabilities, enhancing the overall security and functionality of the platform. | ||
|
|
||
|
|
||
| Hats.finance does not provide any guarantee or warranty regarding the security of this project. Smart contract software should be used at the sole risk and responsibility of users. | ||
|
|