
Attackathon | Stacks II
Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.
Evaluating
Triaged by Immunefi
PoC required
KYC required
Build commands, test commands, and how to run them can be found here on the Stacks Academy.
Project Technical Info
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?
SIP10 is the only token standard supported https://github.com/stacksgov/sips/blob/main/sips/sip-010/sip-010-fungible-token-standard.md
What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?
Deposit processing can be paused by shutting down the Emily API server. In the case of vulnerabilities in deposit handling, this can be used to reduce the impact of an ongoing attack.
What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?
Signers are permissioned and whitelisted operators. Any attack that requires a majority of signers to be malicious should be out of scope. Attacks that require a minority of signers to be malicious would still be in scope but with reduced severity.
Which chains and/or networks will the code in scope be deployed to?
Stacks L2
Is this an upgrade of an existing system? If so, which? And what are the main differences?
This attackaton focuses on sBTC V1, which adds (wrt previous attackathon for version 0.9) the ability to withdraw sBTC back into Bitcoin (on the L1).
The main differences include:
- The new code related to withdrawals;
- all existing code (including the previous code related to deposits);
- key rotation, which allows the signer set to agree on a new aggregate key and start using it;
- the WSTS cryptographic library that powers threshold signature on Bitcoin.
Code until https://github.com/stacks-network/sbtc/releases/tag/0.0.9-rc7.1 is related to deposits. Anything more recent is related to withdrawals.
Where do you suspect there may be bugs?
The end-to-end flow of processing new Bitcoin deposits and minting sBTC on Stacks is relatively complex and error prone. Issues here could allow DoS of valid deposits or incorrect minting/burning of unbacked sBTC.
Vulnerabilities in the sBTC smart contracts hosted on Stacks could break the core assumptions of the system. Any attack that leads to a mismatch between the BTC collateral and the sBTC would be highly interesting to us.
Any attacks against the threshold signature scheme used on Bitcoin
Where might Security Researchers confuse out-of-scope code to be in-scope?
Vulnerabilities in the Stacks L2 blockchain itself should be reported directly to the Stacks Immunefi bug bounty.