As a restaking platform, EigenLayer allows stakers to deposit assets and delegate stake to operators. Operators register for AVSs (Autonomous Verifiable Services), which are external platforms that leverage this stake to secure offchain processes. Currently, the operator/AVS relationship is limited to registration, deregistration, and rewards.
This competition will cover the major changes being made to the core restaking protocol. These changes include significant updates to most system contracts and introduce new contracts to manage slashing and slashable stake allocation.
Prize Distribution and Scoring
-
Total Prize Pool: $2,500,000
-
The prize pool is split into two prize pots:
- Critical Pot: $2,000,000
- If one or more valid critical severity findings are found, then this pool is unlocked and all the $2,000,000 is only dedicated to the critical findings.
- High/Medium pot: $500,000
- The prize distribution has 2 possible triggers:
- If one or more valid medium severity findings are found, the total pot size is $200,000
- If one or more valid high severity findings are found, the total pot size is $500,000
- The prize distribution has 2 possible triggers:
- Critical Pot: $2,000,000
-
If there are no High or Medium severity findings, then there will be a low severity pot $20,000
- Please note only the findings that add value to the protocol would be considered. Reviewers are then ranked from 1st to 5th for the purpose of prize allocation.
- 1st: $10k
- 2nd: $5k
- 3rd: $2.5k
- 4th: $1.25k
- 5th: $1.25k
- Please note only the findings that add value to the protocol would be considered. Reviewers are then ranked from 1st to 5th for the purpose of prize allocation.
Early Submission Incentive
- 30% bonus: Given the nature of the EigenLayer codebase & the timelines around it, Researchers are incentivized to submit Critical/High/Medium severity findings early, ie: as soon as one is found. The first valid submission will be rewarded an additional 30% reward, in comparison to its subsequent duplicates.
- The finding must identify the root cause, highest valid impact and describe the finding with all the necessary details to consider it valid.
- Please note that low quality or vague submissions or submissions that could be subject to interpretations will not be considered for the additional reward.
- The escalation process will not apply for these rewards and there will be no discussion for these rewards. The decision made by the Judges/EigenLayer protocol team on these rewards will be final.
Example: If a finding has 5 duplicates.
- Using regular each of the duplicates would get $2000 each
- With the current incentive of 30%. The earliest valid submission gets $2453.83, and the rest of the duplicates get $1886.79 each.
Severity definition:
Risk Classification Matrix
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood: High | Critical/High (Conditional) | High | Medium |
| Likelihood: Medium | High | Medium | Low |
| Likelihood: Low | Medium | Low | Informational |
Critical severity:
- If an attack can result in a profit of more than 1% of the TVL then this can be considered as a critical severity finding.
- Please note there must be sufficient information and undeniable Proof of concept which should be easily verifiable for the loss amount for the finding to be considered Critical with absolutely no ambiguity.
Scoring described in the competition scoring page.
Findings Severities described in detail on our docs page.
Documentation
-
ELIP-0002: Slashing via Unique Stake & Operator Sets: A great intro doc to the slashing release
Scope
This review concerns the v1.3.0 release of the EigenLayer contracts, introducing slashing of restaked assets.
We will be upgrading our existing mainnet contracts to the slashing release, so ensuring this upgrade is compatible with our existing contracts is very important.
Timeline
The slashing release is expected to go to mainnet in April, 2025. The current version of the contracts is already live on two separate Holesky environments.
- Repository: https://github.com/Layr-Labs/eigenlayer-contracts
- Commit::
722f3cbeb7721431f1a2a4a73582f7981212e23d - Files: all Solidity files in
src/contracts
Release: eigenlayer-contracts/releases/tag/v1.3.0
Mandatory POC Rule:
- The mandatory POC rule applies to this competition.
- All Critical/High/Medium findings require a valid coded POC before the end of the competition.
Out of Scope
- The following known issues with v1.3.0 Pectra compatibility are out of scope, as we will be handling them in a separate release:
- Proof sizes are changing; we do not support the new Pectra proofs in this scope
- We do not support verifying validators with 0x02 withdrawal credentials, though it is possible for existing verified validators to be the target of consolidation outside of a pod, moving them to 0x02 credentials.
- We do not support validator consolidation or execution layer triggered withdrawals
- Test files
- Tools and offchain components
- Anything in /scripts/ folder ( eg: upgrade scripts)
- Our current Holesky contracts are on a slightly stale version of Slashing. Because of the current state of Holesky.
- All risks/edge cases mentioned in the above documentation are OOS
- Lightchaser report:
Previous Audits
Contact Us
For any issues or concerns regarding this competition, please reach out to the Cantina core team through the Cantina Discord.
Summary
Status
Reviewing EscalationsTotal reward:
$2,500,000
Findings submitted:
790
Start date:
7 Mar 2025 6:00pm (local time)
End date:
28 Mar 2025 8:00pm (local time)