From f8643058753e00f263d4775742fedd2fa67038e8 Mon Sep 17 00:00:00 2001 From: benk10 Date: Tue, 18 Jun 2024 09:55:45 -0500 Subject: [PATCH] Add report.md --- report.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 report.md diff --git a/report.md b/report.md new file mode 100644 index 00000000..30304d93 --- /dev/null +++ b/report.md @@ -0,0 +1,65 @@ +# **HATs Arbitration Contracts Audit Competition on Hats.finance** + + +## Introduction to Hats.finance + + +Hats.finance builds autonomous security infrastructure for integration with major DeFi protocols to secure users' assets. +It aims to be the decentralized choice for Web3 security, offering proactive security mechanisms like decentralized audit competitions and bug bounties. +The protocol facilitates audit competitions to quickly secure smart contracts by having auditors compete, thereby reducing auditing costs and accelerating submissions. +This aligns with their mission of fostering a robust, secure, and scalable Web3 ecosystem through decentralized security solutions​. + +## About Hats Audit Competition + + +Hats Audit Competitions offer a unique and decentralized approach to enhancing the security of web3 projects. Leveraging the large collective expertise of hundreds of skilled auditors, these competitions foster a proactive bug hunting environment to fortify projects before their launch. Unlike traditional security assessments, Hats Audit Competitions operate on a time-based and results-driven model, ensuring that only successful auditors are rewarded for their contributions. This pay-for-results ethos not only allocates budgets more efficiently by paying exclusively for identified vulnerabilities but also retains funds if no issues are discovered. With a streamlined evaluation process, Hats prioritizes quality over quantity by rewarding the first submitter of a vulnerability, thus eliminating duplicate efforts and attracting top talent in web3 auditing. The process embodies Hats Finance's commitment to reducing fees, maintaining project control, and promoting high-quality security assessments, setting a new standard for decentralized security in the web3 space​​. + +## HATs Arbitration Contracts Overview + +We turn black hat hackers into white hat hackers using the right incentives. Creating the future of security on _EVM + +## Competition Details + + +- Type: A public audit competition hosted by HATs Arbitration Contracts +- Duration: 2 weeks +- Maximum Reward: $28,000 +- Submissions: 74 +- Total Payout: $24,900.4 distributed among 8 participants. + +## Scope of Audit + +The scope of the competition includes all the contracts that make up the HATs system, but we are specifically interested in the changes made since v2.0. + +There are a number of changes since our last release: + +- We added an arbitration procedure: if there is any kind of dispute about the payout, the decision can be escalated to an Expert Committee, and if that committee cannot find consensus, to the Kleros court. The intended behavior of that system is documented here: https://github.com/hats-finance/hats-contracts/blob/audit/docs/claims.md +- The functionality of the main contract, HATVault.sol, was split into two new files (HATVault.sol and HATClaimsManager.sol) +- We added some helper contracts, such as the PaymentSplitter.sol + +The contracts that are currently in use, v2.0, can be found here https://github.com/hats-finance/hats-contracts/tree/v2.0. + + +In this competition, we are interested in the usual programming errors, but we are also interested in any scenarios in which the arbitration procedure can be abused or hijacked. (For such attacks, it is the behavior that is implemented that serves as a reference - pointing out mistakes in documentation is appreciated, but will not be rewarded). + + + + + + + +## Conclusion + +The Hats.finance audit competition upheld its mission to fortify the security of DeFi projects through a two-week public competition hosted by HATs Arbitration Contracts. By leveraging a decentralized approach that harnesses the expertise of numerous auditors, the competition effectively identified and mitigated vulnerabilities in the HATs system. It revolved around the updated HATs contracts, including significant modifications such as the arbitration procedure for dispute resolution and the splitting of main contract functionalities into distinct files. With a significant focus on potential abuse scenarios of the arbitration process, 74 submissions were evaluated, and a total payout of $24,900.4 was distributed among eight participants. This outcome underscores Hats.finance’s innovative, reward-driven model that emphasizes quality auditing by rewarding the first submitter and thereby reducing redundant efforts. The competition not only succeeded in reinforcing security but also in demonstrating an efficient, decentralized audit process that aligns with Hats.finance's goal of creating a scalable and secure Web3 ecosystem. + +## Disclaimer + + +This report does not assert that the audited contracts are completely secure. Continuous review and comprehensive testing are advised before deploying critical smart contracts. + + +The HATs Arbitration Contracts audit competition illustrates the collaborative effort in identifying and rectifying potential vulnerabilities, enhancing the overall security and functionality of the platform. + + +Hats.finance does not provide any guarantee or warranty regarding the security of this project. Smart contract software should be used at the sole risk and responsibility of users. +