×
Grow Open Source Bounties Hackathons Grants Quests Kudos
Gitcoin Virtual Hackathon

Matic Layer2 Smart Contract Security

Jul 8, 2020 - Sep 8, 2020

Matic Layer2 Smart Contract Security


Matic Network is a layer2 platform which aims to provide a generalized Layer2 platform to provide various layer2 execution environments to Dapp Developers on top of Ethereum. Being a layer2, Matic Network staking, validation, staking reward distribution and slashing happens on Ethereum Mainnet. Matic Layer2 Security hackathon is designed to promote expert smart contract developers to have a close look and hunt for critical bugs.

The hackathon provides opportunity for the developers to delve deep into the nuances of building a secure layer2 platform and explore ways to break staking and plasma smart contracts. Prizes will be paid out on an ongoing basis.

Prizes and judging criteria

There are four tiers of prize ranges. Each bounty submission could be eligible for any one of the prize tiers.

In addition, for this competition, the Matic team will apply a bounty multiplier ratio between 1 and 10, which can make the final payout up to $50,000. This multiplier ratio will be decided at the sole discretion of the Matic team.

Judging criteria will take into consideration:

  • The criticality of the exploits (e.g., users/cases impacted, size of impact)
  • How easy/complex it is to recreate
  • Level of research and analysis that was done by the reporter

Please note that the prizes will be paid in Matic tokens and the USD value of prizes could change based on the rate.

Submission process and guidelines

Exploits:

  1. Give us a heads up by clicking ‘Start work’ button on the Gitcoin posting for the bounty
  2. Submit the evidence of your work by opening a new issue on Hacker One Page (https://hackerone.com/matic-network/). Once you're done with the Submission on Hacker One, make sure to click ‘Submit work’ and link your work on Gitcoin.
  3. Make sure you add a link of your Hacker One submission in your Gitcoin work to easily identify your submission.
  4. Wait up to 12 hours until our team tags your submission as valid. Please stay in contact with our team in case of additional requests.
  5. After a submission is tagged as valid, any further similar submissions will not be eligible for prizes. It is in participant's responsibility to track other valid submissions (note that 'valid' tag does not guarantee rewards)
  6. You will receive the final decision of winners within 2 months after the competition ends.
  7. All rewards will be distributed via Hacker One website.

What are the bounties?

Exploits: These bounties help us identify vulnerabilities in our design and code, especially in our staking and delegation related smart contracts. The goal is to find attack vectors by which an attack can either lead to partial theft of funds or draining of funds from the contract. There may be more attack vectors too, we have just added indicative ones.

Scope for reference:

Staking: https://docs.matic.network/docs/contribute/contracts/stakingmanager

Delegation: https://docs.matic.network/docs/contribute/contracts/delegation

Code: https://github.com/maticnetwork/contracts/tree/release-0.3/contracts/staking

Root chain contract (for checkpoints): https://docs.matic.network/docs/contribute/heimdall/checkpoint

Code: https://github.com/maticnetwork/contracts/blob/release-0.3/contracts/root/RootChain.sol

Note that all Plasma contracts are Out of Scope for this hackathon.

Details of contracts deployed on Goerlihttps://static.matic.network/network/testnet/mumbai/index.json

(see Main->Contracts key for reference)

Important Contract Addresses:

Rootchainhttps://goerli.etherscan.io/address/0xCe29AEdCdBeef0b05066316013253beACa7A6268#code 

RootchainProxyhttps://goerli.etherscan.io/address/0x2890bA17EfE978480615e330ecB65333b880928e#code 

StakeManagerhttps://goerli.etherscan.io/address/0xb36b6963f68dde1312a9e959817e35ff6b0f0aa9#code 

Stakemanager proxyhttps://goerli.etherscan.io/address/0x00200ea4ee292e253e6ca07dba5edc07c8aa37a3#code 

ValidatorSharehttps://goerli.etherscan.io/address/0xb6d4B5893729601759be67ed98896EF928e5EC88#code

Setting up Local environment:

https://github.com/maticnetwork/contracts/blob/release-0.3/README.md

Reach out to us for any queries:

If you have any questions, please join our Discord Channel and post your queries in the Developers->contracts channel: https://discord.gg/ujFqsjK

bounty explorer
Check out the Prizes

Visit the Prize Explorer to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.

express interest
Join the Hackathons Chat Workspace

Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time. Click here to join the party!.

bounty explorer
Start Work via Gitcoin

When your team is formed please have one of your teammates navigate to each prize page you plan to compete for and click the “Start Work” button.

express interest
BUIDL!

Build your cool ideas and make your vision come true with your team!

bounty explorer
Submit Work via Gitcoin

When your project is completed, submit your work by clicking the “Submit Work” button on the prize page/