Open in app

Sign in

Write

Sign in

Announcing the $40,000 STRIPS Hackathon!

Strips Finance (now RabbitX)
8 min readDec 1, 2021

STRIPS is the next generation decentralized interest rate exchange. The goal of this hackathon is to find economic and technical vulnerabilities of our STRIPS contracts.

STRIPS Hackathon Details

  1. $40,000 USDC award pot
  2. Review the GitHub repository for the hackathon here
  3. Submit findings using issues using this form
  4. Please read our guidelines below for more details
  5. Starts: 1 December 12:00 UTC
  6. Ends: 12 December 12:00 UTC
  7. Join our developer-only Telegram to ask any question

How to start

The STRIPS team has created a special repo where you can deploy STRIPS locally and play with them in your local hardhat environment.

This part of the hackathon is a black-box competition, we don’t provide source code at this stage, but bytecode/artifacts/abi are available to deploy locally and play with.

The url of the repo:

https://github.com/strips-finance/hackathon

Docs folder contains Call Graph for all contracts:

https://github.com/strips-finance/hackathon/tree/master/docs

Deploy folder contains a deploy script:

https://github.com/strips-finance/hackathon/tree/master/deploy

Test folder shows how to interact with the Strips:

https://github.com/strips-finance/hackathon/tree/master/test

Below there is a high-overview description of the contracts. If you want to see the full call graph. Just use digraph file here:

https://github.com/strips-finance/hackathon/blob/master/docs/digraph

And upload it to graphviz, here is good online editor:

https://dreampuf.github.io/GraphvizOnline

How to receive USDC, STRP, and LP tokens

We expect that the most of the attacks will be tested on the local first (using provided deployment scripts in the repo). All deployed contracts could be found in deployments folder:

https://github.com/strips-finance/hackathon/tree/master/deployments

All current contracts are on arbitrum testnet (chainId: 421611, RPC-Node: https://rinkeby.arbitrum.io/rpc). For block explorer you could use: https://testnet.arbiscan.io

The first (easiest) scenario:

  1. In github repo you have artifacts and deployment scripts for all the contracts
  2. You can launch your own copy of Strips on your local hardhat node
  3. And do whatever you want with that.

The second (fork) scenario:

  1. Fork testnet on your local machine
  2. Unlock addresses of STRP and SUSD owner.
  3. Transfer STRP to your wallet for test. (STRP max is 100mln)
  4. For SUSD you have mint (onlyOwner) call which you can use to mint unlimited amount of SUSD to any wallet
  5. Then use UniswapRouter02 (SushiLpPair — is address of STRP-SUSD pool) to stake liquidaity to the pool and receive SUSHI-LP tokens back.
  6. Now you have LP balance, that you can use to stake to market/insurance

For any questions, follow the closed telegram group, where developers will answer.

If you happen to have any question, we are available 24/7 to help:

Email: info@strips.finance

Discord: https://discord.com/invite/XUhQMDmcyE

TG: https://t.me/+jaXzia9QznFjNGE9

About STRIPS

Whitepaper

STRIPS allows traders to trade interest rates in DeFi easily. Traders on STRIPS can long or short interest rates across a variety of interest rate protocols using a virtual automated market maker (vAMM) model for liquidity.

In finance, interest rate swaps account for $400 trillion of daily traded volume, representing over 80% of the world’s total derivatives volume. Interest rates touch on nearly every financial product in traditional markets. Still, unlike traditional finance, the tools to wield them in decentralized finance (DeFi) have yet to be developed or meaningfully deployed in the market.

STRIPS aims to solve this by allowing traders to easily trade interest rates using a derivative instrument called an interest rate swap. Interest rate swaps pay the difference between a floating rate and a fixed rate and allow traders to express directional views on interest rates in a flexible, capital-efficient way. Interest rate swaps are a tool for traders to express directional views in both bull and bear markets. STRIPS will be looking to launch on Arbitrum.

Key Features

The following are the key features of STRIPS:

  1. Users can long or short an interest rate market using leverage. Position collateral is in USDC.
  2. Users position pnl consists of funding pnl and trading pnl in USDC.

Funding Pnl is calculated as follows (for longs):

Trade Pnl is calculated as follows (for longs):

  1. Users can add collateral and remove collateral from their open positions above the liquidation threshold.
  2. Positions are netted for the same market. (i.e. if a trader goes long $100 and then goes short $200, his position will be -$100)
  3. Users can earn LP tokens + (USDC trading profits and fees) by staking in the AMM
  4. Users can earn LP tokens + (USDC liquidation profits by staking) in the insurance fund
  5. Users can stake STRP in governance contract and earn 20% trading fees for the whole protocol
  6. Traders and stakers can earn additional STRP rewards from trading and staking
  7. Liquidators can call function to liquidate positions with collateral and unrealized loss together is less than 3.5% of notional, and share 0.2% of liquidation profit

Contracts

Link to GitHub with all of the necessary information for the hackathon:

https://github.com/strips-finance/hackathon

🔍 Scope

.
├── external                # ABI and artifacts 
├── deploy                  # deploy with local.ts
├── params                  # Configuration of the contracts params
├── test                    # Examples
├── docs                    # Contracts scheme
└── README.md

Submission Criteria

⚠️ Submit your hackathon findings to this form.

Rewards

Rewards will be given out pro-rata according to a points formula:

Critical severity (6-10 score) pot size = $25,000 
Medium severity (3-5 score) pot size = $10,000 
Low severity (1-2 score) pot size = $5,000  Points = Severity score * (0.8^Report Counts) / Report Counts 
Reward = Pot size * Points / Total Points

Criteria

  • If you can find anything similarly severe which is not mentioned in examples: your severity score will be 10 out of 10
  • If you can achieve anything mentioned in hacking examples below: you will get severity score of 8 out of 10
  • If you can find technical issues such as overflow and underflow: your severity score is likely to be 5 out of 10
  • If you can find minor issues such as missing modifier: your severity score is likely to be 2 out of 10
  • Strips will remain the authority to assign the severity score and categorize similar findings into same report counts. We promise to take 100% seriousness when we review your reports.

Examples

We have carefully shared some activities that we think can be exploited or could be a vulnerability of STRIPS. If you can successfully prove any of the transactions below, you will receive a score of 8 out of 10:

  1. You can stake and unstake in the same block.
  2. You can open and close in the same block.
  3. You can implement a flashloan attack on STRIPS.
  4. You can open a position that will be immediately liquidated, and not stopped by the system.
  5. You are able to manipulate the market price and have a net positive return after closing all your positions all else being equal. Please attach the arbscan transactions and logs.
  6. If you can manipulate the floating rate received from the oracle to boost your return.
  7. As a staker, when you find that USDC balance is very low, and you happen to have positive staking profit (from unrealized profit as AMM from open trading positions), if you can manipulate the LP token price, and then use unstaking function to force AMM to redeem large amount of LP tokens? If you can achieve this profitably, please attach arbscan.
  8. If you can create artificial liquidation squeeze on Arbitrum testnet:
  • Disabling liquidation function, so there will be an interruption to the liquidator
  • Manipulate the market fixed rate to 2000%
  • Open many short positions, to receive positive funding profit from receiving fixed rate at 2000% and paying oracle at 2% only as time passes until all longs are liquidated when liquidation function is fixed.
  • Profit expected: collect (2000%-2%) * notional over period of time when liquidation function is interrupted
  • Loss: lose 100% of the collateral on the long positions used to push the fixed price to 2000%
  • If you achieve positive net profit, please show us and attach arbscan.

8. If you can stake and unstake without being charged with 2% withdrawal fee on LPs which is linearly decayed over 7 days.

9. If reward distribution structure is incorrect, that we give allowance to reward contract at one shot, like we approve 3.7m STRP to stakingReward and 37m STRP to tradingReward, which should be distributed over 3 years, but if you can withdraw the approved amount for all markets, in one shot?

10. If you happen to find that market is skewed to one side (eg. number of market longs is extremely high), you can put on small trade on the opposite direction (eg. short) to squeeze the market and make money from:

  • liquidation fee of 0.2% of realized profit as external liquidator
  • stake before you put on short trades: because before you put on one trade to squeeze the market, the unrealized pnl for these long positions is positive. Attacker’s short will cause the last long trader to be liquidated, who further pushed down the market fixed rate, and cause more liquidations of longs. Throughout this process, AMM’s Unrealized PnL will change from unrealized loss (against longs) to realized profit collected from liquidated long positions. You, if staked before putting on the short position, will be able to benefit most of the profits if the staking portion is big enough.
  • your short position will also have large profit when market fixed rate is pushed to a lower level during these liquidation squeeze.
  • This is common to many derivatives products such as BTC perpetual futures. Among people who realized this scenario, if you can show the arbscan and tell us your total profit (as a staker and/or as a trader), the report with highest total profit will be given the highest severity 10 out of 10 compared to others who only gets 8 out of 10.

If you happen to find other vulnerabilities of STRIPS that you think you can exploit for profit, please share with us and you will receive a 10 severity score.

STRIPS will not try to prevent arbitrageur activities and we believe statistical arbitrage strategies that take profits from system pricing mismatch should be encouraged rather than prohibited. Activities such as liquidation squeeze won’t be and cannot be completely eliminated. Profitable statistical arbitrage strategies will receive a score of 5 out of 10.

Important

➡️ Turn in your reports before the contest end time (12 December 12:00 UTC) in this form. ANY REPORTS AFTER THIS TIME WILL NOT BE COUNTED.

➡️ Be sure to fill your handle and ETH address to receive your share.

➡️ Publicly disclosing any discovered bugs or vulnerabilities is grounds for disqualification.

STRIPS is currently hiring for several roles. Interested applicants can email their resume and cover letters to jobs@strips.finance.

To learn more please visit the project’s website at https://strips.finance/ or follow the project on

Twitter | Telegram | Discord

--

--

Strips Finance (now RabbitX)

Written by Strips Finance (now RabbitX)

1K Followers

To build the largest fixed income trading platform for DeFi

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams