zkSync Announces 1.1M USDC Bounty for Competitive Web3 Security Audit on Code4rena
In Brief
zkSync is hosting a competitive Web3 security audit on Code4rena.
Participants receive rewards commensurate with the types of bugs they uncover, drawn from the 1.1 Million USDC reward pool.
zkSync today announced that it is hosting the largest competitive Web3 security audit on Code4rena from Oct 2 – 23.
The team behind zkSync stressed that security remains a major obstacle to the broader adoption of Web3. They referenced a Forbes article that highlighted bridge hacks exceeding $2 billion, as well as security concerns with Layer 2 solutions. They believe that obstacles in onboarding new users into the ecosystem will persist as long as security standards don’t improve.
“Over the years as we built zkSync, the Matter Labs team has approached security as a mindset, rather than a list of checkboxes to tick off. We call this ‘defense-in-depth’; a multifaceted approach to protect users against bugs, exploits, scams and hacks,” the team wrote in a blog post.
Matter Labs, the company behind zkSync, said that it has invested approximately $5 million in top-tier security audits for zkSync Era. They’ve implemented multiple layers of protection into the system, such as 24/7 monitoring, open-source code, bug bounties, public contests, external reviews, and additional security measures with tools like OpenZeppelin Defender and Forta bots.
The team believes that competitive audits are an important piece of this security puzzle, which is why they’re hosting what they claim is the largest-ever Web3 security audit competition.
The competitive audit, spanning 21 days, is scheduled to commence at 4pm ET on Monday, October 2nd and conclude at 4 pm ET on Monday, October 23rd. The audit’s scope encompasses several key areas including L1 and L2 system smart contracts, circuits, VM implementation and more.
Participants stand to earn rewards based on the nature of the bugs they uncover, drawn from the 1.1 Million USDC reward pool. A minimum commitment of 330k USDC has been allocated for the audit. Identified bugs are categorized into low, medium, and high-risk tiers.
“Bringing in contributors outside of Matter Labs to examine the code is equally important to these measures,” zkSync said. “Our competitive audit on Code4rena aims to set the standard for security investments in Web3 with a focus on rewarding participants for valuable contributions.”
Judging Criteria and Submission Process
At the end of a given audit period, all reports will be reviewed and categorized based on a number of criteria.
In cases where multiple submissions describe the same vulnerability, judges have the authority to group these bugs together. Subsequently, any rewards will be distributed among those who made these submissions. However, if multiple submissions arise from the same warden or warden team, they are treated as a single submission by the awarding algorithm, avoiding further subdivision of rewards.
Each audit may explicitly define code that is either within or outside the audit’s scope. Additionally, specific issues may also be categorized as out of scope. Those adhering to the audit guidelines and reporting valid low, medium, or high-severity bugs that are not explicitly excluded from the scope will receive guaranteed compensation.
The submission policy for the audit contest states participants must register as a C4 Warden either individually or as part of a team. They should submit bug reports responsibly, avoiding privacy breaches, disruptions to user experience, harm to production systems, and data manipulation or destruction, particularly concerning funds.
Exploits should only be used to confirm the presence of vulnerabilities and not for compromising funds, data exfiltration, establishing persistent access, or redirecting to other systems unless explicitly specified by the sponsor. Additionally, participants should refrain from public disclosure until the audit report is officially published and should avoid submitting numerous low-quality reports.
Code4rena will provide more information regarding the competitive audit and its scope on its competition page once the competition commences on Oct 2.
Disclaimer
In line with the Trust Project guidelines, please note that the information provided on this page is not intended to be and should not be interpreted as legal, tax, investment, financial, or any other form of advice. It is important to only invest what you can afford to lose and to seek independent financial advice if you have any doubts. For further information, we suggest referring to the terms and conditions as well as the help and support pages provided by the issuer or advertiser. MetaversePost is committed to accurate, unbiased reporting, but market conditions are subject to change without notice.
About The Author
Cindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing. Get in touch with her via cindy@mpost.io with press pitches, announcements and interview opportunities.
More articles
Cindy is a journalist at Metaverse Post, covering topics related to web3, NFT, metaverse and AI, with a focus on interviews with Web3 industry players. She has spoken to over 30 C-level execs and counting, bringing their valuable insights to readers. Originally from Singapore, Cindy is now based in Tbilisi, Georgia. She holds a Bachelor's degree in Communications & Media Studies from the University of South Australia and has a decade of experience in journalism and writing. Get in touch with her via cindy@mpost.io with press pitches, announcements and interview opportunities.
