Stacks sBTC Academy is a learning page with everything you need to know to find bugs on Stacks. With guides to help you learn Stacks fast and use Immunefi successfully.

Stacks sBTC Academy

Learn why the Stacks ecosystem was built, its connection to Bitcoin, and what separates Stacks from other L2 blockchain protocols.

What is Stacks?

Explore how Stacks is intrinsically connected to Bitcoin, using the Bitcoin blockchain as a base layer. Learn how this connection ensures a secure and immutable foundation for Stacks-based smart contracts and decentralized applications.

Stacks connection to Bitcoin

Familiarize yourself with the fundamental terminology and concepts within the Stacks network.

Network Basic Definitions

Dive into the Proof of Transfer (PoX) consensus mechanism, which uniquely ties Stacks to Bitcoin. Learn how PoX secures Stacks, incentivizes participation, and bridges the two blockchain networks.

Proof of Transfer (PoX)

Discover how accounts are managed within the Stacks ecosystem, including account addresses, private keys, and the mechanisms that ensure secure and efficient transaction management.

Account Model

Understand the process of block production in the Stacks network, including the role of miners and the rules governing the creation of new blocks and their integration into the blockchain.

Block Production

Explore the mechanics of mining in the Stacks ecosystem, including how miners compete to win rewards by committing Bitcoin and the factors that influence successful mining.

How Mining Works

Learn how signing ensures the integrity of blocks and transactions within the Stacks blockchain. Understand the role of cryptographic signatures in validating and securing the network.

How Signing Relates to Block Production

Discover the Stacking mechanism, where participants lock their STX tokens to support network consensus and earn Bitcoin rewards. Understand the role of Stackers in the Stacks ecosystem and how Stacking contributes to network security.

How Stacking Works

Gain insights into how transactions are structured and processed within the Stacks network, from signing and broadcasting to inclusion in blocks and finalization on Bitcoin.

How Transactions Work

Stacks 101

Explore Clarity, the purpose-built smart contract language for the Stacks blockchain. Learn how Clarity is designed for predictability, security, and auditability, with a focus on preventing bugs and exploits commonly seen in other blockchain smart contract languages.

What is Clarity?

Dive into "The Clarity Book," a comprehensive guide to getting started with Clarity. This resource provides step-by-step instructions, examples, and best practices for understanding secure and efficient smart contracts on the Stacks blockchain.

The Clarity Book

Clarity

Learn about sBTC, a Bitcoin-pegged asset on the Stacks blockchain. Understand its purpose, how it bridges Bitcoin and Stacks ecosystems, and its role in unlocking Bitcoin's programmability while retaining its native value.

What is sBTC?

Understand the process of minting sBTC by depositing Bitcoin into the bridge. Gain insights into the mechanisms that ensure Bitcoin is securely locked and the equivalent sBTC is issued on Stacks.

Minting sBTC

Learn how to withdraw Bitcoin by redeeming sBTC through the sBTC Bridge. This includes understanding the operational flow and security measures in place to ensure a reliable withdrawal process.

Withdrawing BTC

Explore the Emily API, a crucial component for managing the sBTC Bridge. Learn how it facilitates seamless communication between sBTC users and signers, ensuring secure and efficient sBTC operations.

Emily API

Dive into the lifecycle of an sBTC transaction, from initiation to completion. This module covers the detailed steps and interactions between Bitcoin, Stacks, and Clarity smart contracts.

sBTC Transaction Walkthrough

Understand the concept of Peg Wallet UTXO and its role in managing Bitcoin transactions within the sBTC Bridge. Learn about the underlying UTXO model and its integration into the sBTC system.

Peg Wallet UTXO

Explore the Clarity smart contracts that power the sBTC Bridge. This includes an in-depth look at their state variables and interfaces, focusing on their role in enabling secure and efficient sBTC operations.

Clarity Contracts

sBTC

Learn how to set up the sBTC development environment by installing required tools and dependencies. Follow step-by-step instructions to prepare your system for sBTC development and testing.

Setup and Installing Dependencies

Understand how to build the sBTC project and execute unit tests to verify the correctness of individual components. This module covers the basics of testing methodology and troubleshooting.

Building and Running Unit Tests

Learn how to set up a local test environment to run integration tests for the sBTC system. This includes simulating real-world interactions to identify and debug issues effectively.

Running a Test Environment for Integration Tests

Running a Proof of Concept (PoC)

Understand the financial incentives driving participation in the Stacks network and the challenges related to security and budget allocation.

Financial Incentives and Known Issues

Audits & Known Issues

Explore the foundational Stacks whitepaper to gain insights into the technical architecture and design principles of the Stacks network.

Stacks Whitepaper

Study the sBTC whitepaper to understand the technical design, architecture, and mechanisms behind Bitcoin-pegged assets on Stacks. Gain insights into the sBTC bridge, minting and redemption processes, and the system's security model.

sBTC Whitepaper

Review a high-level summary of the technical specifications governing the Stacks blockchain and its key features.

Overview of Technical Specifications

Understand Stacks Improvement Proposals (SIPs), which define changes and upgrades to the Stacks network. Discover how SIPs are developed and implemented collaboratively to maintain and enhance the network's capabilities.

What is a Stacks Improvement Proposal (SIP)?

Learn about SIP-007, which defines the Proof-of-Transfer (PoX) consensus mechanism and its role in securing the Stacks network.

SIP007: Proof of Transfer

Discover the enhancements introduced in SIP-015, including upgrades to the PoX mechanism and the Clarity programming language.

SIP015: Upgrade to PoX and Clarity

Explore SIP-021, which details the integration of Nakamoto Consensus principles into the Stacks network.

SIP021: Nakamoto Consensus

Access the complete repository of Stacks Improvement Proposals (SIPs) to review and understand all network upgrades and features.

Repository of SIPs

Understand the OP_RETURN opcode in Bitcoin transactions and its relevance to Stacks, particularly for embedding metadata in Bitcoin blocks.

The OP_RETURN opcode

Dive into Weighted Schnorr Threshold Signatures (WSTS) and their role in enhancing multisignature schemes for secure key management in Stacks.

Weighted Schnorr Threshold Signatures

Explore the FROST protocol, a round-optimized Schnorr threshold signature scheme that balances efficiency and security for multi-party cryptographic operations.

Schnorr Signatures through FROST

Technical FAQ

Attackathons are education-based bug hunting competitions where security researchers compete over a reward pool by submitting impactful bugs in the project's code. Here’s how they work:

**Before the Attackathon**<br/> Immunefi works with the project to host a security-focused education period, providing top tier education and support to security researchers.

**During the Attackathon**<br/> Security researchers experience the optimal hunting conditions, with direct project support, responsiveness, and duplicate rewards.

**After the Attackathon**<br/> Immunefi spotlights the security accomplishments, with a custom leaderboard, Attackathon Findings Report, Bug Fix Reviews, and NFT awards.

Ultimately, Attackathons serve to secure projects, develop their security ecosystem, and create new opportunities for security researchers.

What's an Attackathon?

sBTC Signer - a signer entity separate from the Stacks Nakamoto signer which signs sBTC operations, communicates with sBTC contracts, and manages sBTC UTXOs. - 19760

Emily - An API that helps facilitate and supervise the sBTC Bridge - 6000

Protobuffs - Platform-neutral extensible mechanisms for serializing structured data. - 292

lib-sbtc - A library for creating BTC deposit transactions that can be handled by the sBTC signers. - 1186

Smart Contract - sBTC contracts - The Clarity contracts for the sBTC protocol. - 645

Learn more on the Stacks' Academy.

## Project Technical Info

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

- SIP10 is the only token standard supported https://github.com/stacksgov/sips/blob/main/sips/sip-010/sip-010-fungible-token-standard.md 

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

- Deposit processing can be paused by shutting down the Emily API server. In the case of vulnerabilities in deposit handling, this can be used to reduce the impact of an ongoing attack.

What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?

- Signers are permissioned and whitelisted operators. Any attack that requires a majority of signers to be malicious should be out of scope. Attacks that require a minority of signers to be malicious would still be in scope but with reduced severity. 

Which chains and/or networks will the code in scope be deployed to?

- Stacks L2

## Security Researcher Education

Is this an upgrade of an existing system? If so, which? And what are the main differences?

- sBTC is a new 1:1 Bitcoin-backed asset on the Stacks Bitcoin L2. The in-scope codebase is completely new. 

Where do you suspect there may be bugs?

- The end-to-end flow of processing new Bitcoin deposits and minting sBTC on Stacks is relatively complex and error prone. Issues here could allow DoS of valid deposits or incorrect minting of unbacked sBTC.

Vulnerabilities in the sBTC smart contracts hosted on Stacks could break the core assumptions of the system. Any attack that leads to a mismatch between the BTC collateral and the sBTC would be highly interesting to us.

- Any attacks against the threshold signature scheme used on Bitcoin

Where might Security Researchers confuse out-of-scope code to be in-scope?

- Vulnerabilities in the Stacks L2 blockchain itself should be reported directly to the [Stacks Immunefi bug bounty](https://immunefi.com/bug-bounty/stacks/information/). 

- The initial launch of sBTC does not enable withdrawals back to Bitcoin. While partial code to support withdrawals can be found in the codebase, issues that can’t be exploited in “deposit-only” mode will be downgraded.

Are there any unusual points about your protocol that may confuse Security Researchers?

- sBTC launches without support for withdrawals. Users can go from BTC -> sBTC, but the support for sBTC -> BTC is not fully implemented. This functionality will be part of a follow-up contest.

f4lc0n

n4nika

throwing5tone7

jovemjeune

PaiMei_and_Gandalf

niroh

XDZIBECX

https://drive.google.com/file/d/1uyOVRAIK_UAtRHszN29ekjI82BJIHJQi/view?usp=sharing

Stacks is a Bitcoin L2 enabling smart contracts & apps with Bitcoin as the secure base layer. This Attackathon focuses on Stacks’ sBTC upgrade.

Network not being able to confirm new transactions (total network shutdown)

Block stuffing

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Theft of gas

Unbounded gas consumption

Contract fails to deliver promised returns, but doesn't lose value

Direct loss of funds

Permanent freezing of funds (fix requires hardfork)

Unintended chain split (network partition)

Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network

A bug in the respective layer 0/1/2 network code that results in unintended smart contract behavior with no concrete funds at direct risk

Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network

Modification of transaction fees outside of design parameters

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Protocol insolvency

Theft of unclaimed yield

Permanent freezing of unclaimed yield

Smart contract unable to operate due to lack of token funds

Unintended permanent chain split requiring hard fork (network partition requiring hard fork)

API crash preventing correct processing of deposits

Temporary freezing of funds for at least 24h

Temporary freezing of funds for at least 1h

Temporarily Freezing Network Transactions

**Asset Accuracy Assurance**

Bugs found on assets incorrectly listed in-scope will be considered valid and be rewarded.
The initial launch of sBTC does not enable withdrawals back to Bitcoin. While partial code to support withdrawals can be found in the codebase, issues that can’t be exploited in “deposit-only” mode will be downgraded.

**Public Disclosure of Known Issues**

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. 
- https://github.com/stacks-network/sbtc/issues?q=is%3Aissue+is%3Aopen+label%3A%22flagged+by+AR%22
- https://github.com/stacks-network/sbtc/issues

The project will share detailed changelogs when code changes are released during the Attackathon on Discord and they will be documented in our [Stacks changelog](https://immunefisupport.zendesk.com/hc/en-us/articles/30737752973073-Stacks-Attackathon-1-Code-Update-Changelog).

**Previous Audits**

Stacks’s completed audit reports can be found at https://stacks.org/audits. Any unfixed vulnerabilities  mentioned in these reports are not eligible for a reward.

**Private Known Issues Reward Policy**

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

**Primacy of Impact vs Primacy of Rules**

Stacks adheres to the Primacy of Rules, which means that the whole bug bounty program is run strictly under the terms and conditions stated within this page.

**KYC Information**

Stacks will be requesting KYC information in order to pay for successful bug submissions. The following information will be required:
- Full name
- Date of birth
- Proof of address (either a redacted bank statement with address or a recent utility bill)
- Copy of Passport or other Government issued ID

Security researchers are required to submit KYC within 14 days of KYC being requested, else their rewards may be forfeited. Immunefi may make exceptions due to extenuating circumstances.

The following reward terms are a summary, for the full details read our [Stacks Attackathon 1 Reward Terms](https://immunefisupport.zendesk.com/hc/en-us/articles/30553590157073-Stacks-Attackathon-1-Reward-Terms).

- **The reward pool size is $250,000 USD**, regardless of bugs found.

- **On top of the above rewards,** the yield generated from 1 Million STX over 3 months will be distributed equally among all SRs who submit a valid bug report. Estimated to be **worth about $50,000 USD** as of December 2nd, 2024.

Duplicates and private known issues are valid for a reward.

NAME	EARNINGS	TOTAL VALID BUGS	CRITICAL	HIGH	MEDIUM/LOW	INSIGHTS
1 f4lc0n	$101,043	10	1	4	5	2
2 n4nika	$84,837	9	0	7	2	3
3 throwing5tone7	$45,403	2	1	0	1	0
4 jovemjeune	$10,892	1	0	1	0	0
5 PaiMei_and_Gandalf	$3,631	1	0	0	1	0
6 niroh	$1,961	2	0	0	2	0
7 XDZIBECX	$1,210	1	0	0	1	0
8 ZoA	$1,023	0	0	0	0	1

Attackathon | Stacks

Status

Status