Immunefi
Blog
Platform
Bug Bounty ProgramsAudit CompetitionsInvite OnlySafe HarborVaultsManaged TriageHelp Center
Security Researchers
Help for WhitehatsLearnLeaderboardImmunefi Top 10 BugsWhitehat AwardsWhitehat Hall of FameReport FindingsResponsible Publication
LoginExplore bountiesGet Protected
Back to Explore
Attackathon | Stacks II-logo

Attackathon | Stacks II

|
Learn

Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.

Bitcoin
Stacks
L2
Rust
Clarity

Evaluating

16d: 13h remaining
Reward Pool
$250,000
Start Date
24 February 2025
End Date
27 March 2025
Rewards Token
STX
Lines of Code
38,000

  • Triaged by Immunefi

  • PoC required

  • KYC required

InformationScopeResources

Build commands, test commands, and how to run them can be found here on the Stacks Academy.

Project Technical Info

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

SIP10 is the only token standard supported https://github.com/stacksgov/sips/blob/main/sips/sip-010/sip-010-fungible-token-standard.md

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

Deposit processing can be paused by shutting down the Emily API server. In the case of vulnerabilities in deposit handling, this can be used to reduce the impact of an ongoing attack.

What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?

Signers are permissioned and whitelisted operators. Any attack that requires a majority of signers to be malicious should be out of scope. Attacks that require a minority of signers to be malicious would still be in scope but with reduced severity.

Which chains and/or networks will the code in scope be deployed to?

Stacks L2

Is this an upgrade of an existing system? If so, which? And what are the main differences?

This attackaton focuses on sBTC V1, which adds (wrt previous attackathon for version 0.9) the ability to withdraw sBTC back into Bitcoin (on the L1).

The main differences include:

  • The new code related to withdrawals;
  • all existing code (including the previous code related to deposits);
  • key rotation, which allows the signer set to agree on a new aggregate key and start using it;
  • the WSTS cryptographic library that powers threshold signature on Bitcoin.

Code until https://github.com/stacks-network/sbtc/releases/tag/0.0.9-rc7.1 is related to deposits. Anything more recent is related to withdrawals.

Where do you suspect there may be bugs?

The end-to-end flow of processing new Bitcoin deposits and minting sBTC on Stacks is relatively complex and error prone. Issues here could allow DoS of valid deposits or incorrect minting/burning of unbacked sBTC.

Vulnerabilities in the sBTC smart contracts hosted on Stacks could break the core assumptions of the system. Any attack that leads to a mismatch between the BTC collateral and the sBTC would be highly interesting to us.

Any attacks against the threshold signature scheme used on Bitcoin

Where might Security Researchers confuse out-of-scope code to be in-scope?

Vulnerabilities in the Stacks L2 blockchain itself should be reported directly to the Stacks Immunefi bug bounty.