zkSync Reveals a 1.1 Million USDC Prize Pool for a Competitive Web3 Security Audit on Code4rena

Today, zkSync made it known that they're spearheading a substantial competitive Web3 security audit on Code4rena from Oct 2 – 23.

The zkSync team underlined that the need for improved security is a critical barrier to mainstream Web3 adoption. They pointed out a report Forbes article that noted bridge hacks exceeding $2 billion, as well as security concerns the challenges tied to Layer 2 solutions. They hold the view that as long as security benchmarks remain stagnant, onboarding new users will continue to be problematic.

As the zkSync platform has evolved, the Matter Labs team has adopted a philosophy of treating security as a comprehensive mindset rather than a mere checklist. They refer to this philosophy as 'defense-in-depth'; a layered approach designed to safeguard users from various vulnerabilities, including bugs, exploits, scams, and hacks,” the team shared in a blog post .

Matter Labs, the firm behind zkSync, indicated that they have invested around $5 million in high-grade security audits for zkSync Era. They have employed multiple protective layers throughout the system, including continuous monitoring, open-source code, bug bounty programs, community challenges, external evaluations, and enhanced security measures that utilize tools like OpenZeppelin Defender and Forta bots.

The team sees competitive auditing as a vital component of their security strategy, which is why they are hosting what they describe as the largest Web3 security audit competition ever.

Set to unfold over a 21-day period, the audit will kick off at 4 PM ET on October 2nd and conclude at 4 PM ET on October 23rd. The audit will cover essential aspects, including smart contracts for Layer 1 and Layer 2 systems, circuit implementations, virtual machine operations, and more.

Participants have the chance to earn rewards based on the type of bugs they find, funded from the 1.1 million USDC prize pool. A baseline of 330k USDC has been allocated specifically for this audit. The identified bugs will be classified into tiers based on their severity: low, medium, and high.

“Engaging external contributors to review our code is just as crucial as these internal measures,” zkSync mentioned. “Our competitive audit on Code4rena aspires to establish a benchmark for security investments within Web3, focusing on recognizing participants for their significant input.”

Evaluation Criteria and Submission Guidelines

Upon completion of the audit phase, all submitted reports will be evaluated and assigned categories based on a number of criteria . 

Should multiple reports identify the same vulnerability, judges are empowered to combine these bugs. Consequently, any rewards for these submissions will be shared among the contributors. However, if a single contributor or team submits multiple reports, they will collectively be recognized as a single submission by the reward system, ensuring that rewards aren't unnecessarily divided.

Each audit may clearly state which code segments are included or excluded from its scope, and there might be specific issues categorized as out of scope. Participants who adhere to the audit rules and report genuine low, medium, or high-severity bugs that do not fall outside the defined scope will be guaranteed compensation.

The submission policy For the audit contest, participants must register as C4 Wardens individually or as a team. It is imperative to submit bug reports responsibly, ensuring that privacy is respected and there are no disturbances to user experience, damage to production systems, or manipulation or destruction of data, particularly involving funds.

Exploits should only be conducted to confirm vulnerabilities and must not be utilized for compromising funds, data theft, establishing persistent access, or redirecting to alternate systems unless specifically authorized by the sponsor. Additionally, participants are advised to withhold public disclosures until the audit report is officially released and refrain from submitting multiple low-quality reports.

Code4rena will provide additional information concerning the competitive audit and its specifics on its competition page when the competition opens on October 2.