Live
Ends in 20 days
Initia

Initia Move

A network for interwoven rollups.

editView Repo Submit finding
  • Start date7 Jan 8:00 PM UTC
  • End date28 Jan 8:00 PM UTC
  • Total awards$70,000 in USDC
  • Duration21 days

Initia Move audit details

  • Total Prize Pool: $70,000 in USDC
    • HM awards: $56,300 in USDC
    • QA awards: $2,300 in USDC
    • Judge awards: $6,800 in USDC
    • Validator awards: $4,600 in USDC
  • Read our guidelines for more details
  • Starts January 7, 2025 20:00 UTC
  • Ends January 28, 2025 20:00 UTC

Note re: risk level upgrades/downgrades

Two important notes about judging phase risk adjustments:

  • High- or Medium-risk submissions downgraded to Low-risk (QA)) will be ineligible for awards.
  • Upgrading a Low-risk finding from a QA report to a Medium- or High-risk finding is not supported.

As such, wardens are encouraged to select the appropriate risk level carefully during the submission phase.

Overview

Initia is a network for interwoven optimistic rollups; Initia is holistically rebuilding how the multichain system should look, feel, and operate.

At its core, Initia reconstructs the entire technological stack, introducing a foundational Layer 1 blockchain integrated with the Layer 2 infrastructure. This integration fosters a tightly knit, interwoven ecosystem of modular networks. Owning the complete technological stack enables Initia to implement chain-level mechanisms that harmonize the economic interests of users, developers, Layer 2 app-chains, and the Layer 1 chain itself.

Links

Scope

Excluding all auto-generated files, tests, and mocks in all of the above scopes.

Files out of scope

Additional context

Main invariants

  1. consensus breaking (non-deterministic)
  2. authorization problem (especially signer permission)
  3. correctness of implementation (especially dex part)

Attack ideas (where to focus for bugs)

  • In our ecosystem, we frequently use the bridge hook for IBC (Inter-Blockchain Communication) transfers. Therefore, we want to identify and mitigate any potential security vulnerabilities associated with the use of this bridge hook.
  • In movevm, we have implemented json interface and json marshal unmarshal feature on move contract. It's kinda unique feature on move ecosystem, so good to focus on this part.

All trusted roles in the protocol

The Governance Account

Describe any novel or unique curve logic or mathematical models implemented in the contracts:

We have two dex implementations

  1. balancer dex (precompiles/modules/initia_stdlib/dex.move)
  2. stableswap (precompiles/modules/initia_stdlib/stableswap.move)

Running tests

# initia
git clone https://github.com/initia-labs/initia
(cd initia && make test)

# movevm
git clone https://github.com/initia-labs/movevm
(cd movevm && make test)

# run move tests
(cd movevm && initiad move test --path ./precompiles/modules/initia_stdlib --statistics)

# run vip tests
git clone https://github.com/code-423n4/2025-01-initia-move
(cd 2025-01-initia-move && initiad move test --path ./vip-module --statistics)

# run usernames tests
git clone https://github.com/code-423n4/2025-01-initia-move
(cd 2025-01-initia-move && initiad move test --path ./usernames-module --statistics)

Miscellaneous

Employees of Initia and employees' family members are ineligible to participate in this audit.

Code4rena's rules cannot be overridden by the contents of this README. In case of doubt, please check with C4 staff.