Aurora Audit Contest

Triaged by HackenProof
Submit report
Contest ended 29.10.2023

Aurora Labs have created two features of Aurora Engine: the cross-chain calls and the hashchain.

The cross-chain contract calls between Aurora and NEAR offer a powerful and flexible solution for developers and users who wish to access the benefits of both platforms. By leveraging the capabilities of Aurora and the NEAR Protocol, these communications enable seamless interaction between the two ecosystems.

The goal of the block hashchain is to enable someone running a non-archival NEAR node to verify Aurora data is not tampered with while minimizing the on-chain overhead.

In Scope

Target Type Severity Reward

Hashchain integration:

  • Rust based
  • rLOC: 768
Engine Critical Bounty

XCC (Cross-Contract-Calls):

  • Rust based
  • rLOC: 403
Engine Critical Bounty

XCC (Cross-Contract-Calls):

  • Rust based
  • rLOC: 344
Engine Critical Bounty

Hashchain integration:

  • Rust based
  • rLOC: 103
Engine Critical Bounty

XCC Router:

  • Rust based
  • rLOC: 338
Engine Critical Bounty

Hashchain integration:

  • Rust based
  • rLOC: 768

XCC (Cross-Contract-Calls):

  • Rust based
  • rLOC: 403

XCC (Cross-Contract-Calls):

  • Rust based
  • rLOC: 344

Hashchain integration:

  • Rust based
  • rLOC: 103

XCC Router:

  • Rust based
  • rLOC: 338

Group for discussion:


  • NOTE! Aurora is entitled to make payments in AURORA tokens.
  • Only two new features of Aurora Engine are in scope of this contest: cross-contract calls and the hashchain
  • Please submit all other issues through our regular bug bounty
  • Only qualified auditors or audit companies can participate in this audit. read more


Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

  • Any governance voting result manipulation
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Insolvency
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds
  • Smart contract unable to operate due to lack of funds
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption
  • Smart contract fails to deliver promised returns, but doesn’t lose value
  • Functional correctness of implementation even if it's not directly impacting user funds

Best practices, architectural flaws and other types of issues are included at discretion of Aurora's team.


  • Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this contest event:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
  • No vulnerability disclosure, including partial, is allowed for the moment.
  • Please do NOT publish/discuss bugs

We are happy to thank everyone who submits valid reports, which help us improve the security. However, only those who meet the following eligibility requirements may receive a monetary reward:

  • You must be the first vulnerability reporter.
  • The vulnerability must be a qualifying vulnerability
  • Any vulnerability found must be reported no later than 24 hours after discovery, and exclusively through
  • You must send a clear textual description of the report along with steps to reproduce the issue, including attachments such as screenshots or proof of concept code as necessary.
  • You must not be a former or current employee of us or one of its contractors.
  • ONLY USE YOUR HackerProof ADDRESS (in case of violation, no bounty can be awarded)
  • Provide detailed but to-the-point reproduction steps, proof of concept is mandatory for all severity types of smart contract and webapp vulnerabilities.
  • Hacker must successfully pass KYC in order to be eligible for the reward.


To build and deploy projects with Aurora engine to the NEAR local network, the following utilities are required:

  • Node.js (v14+)
  • npm
  • Docker
  • rustc
  • cargo
  • cargo-make
  • near-cli
  • aurora-cli
  • nearcore
  • nearup

Rustup installation

rustup installs The Rust Programming Language from the official release channels, enabling you to easily switch between stable, beta, and nightly compilers and keep them updated. It makes cross-compiling simpler with binary builds of the standard library for common platforms. And it runs on all platforms Rust supports.

To install rustup, execute the following command:

curl --proto '=https' --tlsv1.2 -sSf | sh

After the script executed, the installation can be validated by executing

rustc -V && rustup -V

Cargo-make installation

The cargo-make task runner enables to define and configure sets of tasks and run them as a flow.

To install cargo-make, execute the following command:

cargo install cargo-make

The installation can be verified by executing

cargo make -h

Node.js installation

As an asynchronous event-driven JavaScript runtime, Node.js is designed to build scalable network applications. For it's installation, execute the following commands:

sudo apt update
sudo apt install nodejs
sudo apt install npm

The installation of the Node.js can be verified with node -v command.

If the Node.js is already installed, but the version is lower than required (v14+), it can be easily updated through the npm:

First, clear the npm cache:

npm cache clean -f

Install n, Node’s version manager:

npm install -g n

Install the latest stable version:

sudo n stable

Docker installation

Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.

Update the apt package index and install packages to allow apt to use a repository over HTTPS:

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg

Add Docker's official GPG key:

sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

Use the following command to set up the repository:

echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the apt package index:

sudo apt-get update

Install Docker Engine. To install the latest version, run:

sudo apt-get install docker-ce docker-ce-cli docker-buildx-plugin docker-compose-plugin

Verify that the Docker Engine installation is successful by running the hello-world image.

sudo docker run hello-world

Further docker builds may fail due to permission denied while trying to connect to the Docker daemon socket error, so to prevent it, the following commands should be executed:

sudo usermod -aG docker ${USER}
su -s ${USER}

Now verify that the container run is not failing by executing docker run hello-world as a curent user.

Nearup installation

nearup - python script used for running NEAR node locally. Can be istalled with pip3 command:

pip3 install nearup

Near-cli installation

The NEAR Command Line Interface (CLI) is a tool that enables to interact with the NEAR network directly from the shell. Among other things, the NEAR CLI enables you to:

  • Manage token assets such as NEAR, FT, NFT
  • Manage account
  • Manage smart-contracts: deploy code, call functions
  • Operate transactions

near-cli-rs can be installed with cargo command:

cargo install near-cli-rs

Aurora-cli installation

Aurora CLI is a command line interface to bootstrap Aurora Engine with rapid speed built with rust.

aurora-cli-rs can be installed with cargo command:

cargo install --git

Near Core build

NEAR Protocol, an infrastructure for server-less applications and smart contracts powered by a blockchain. NEAR Protocol is built to deliver usability and scalability of modern PaaS like Firebase at fraction of the prices that blockchains like Ethereum charge.

Near Core can be easily built with the following commands:

git clone && cd nearcore/
git checkout master
make neard

This will start the compilation process. It will take some time depending on your machine power (e.g. i9 8-core CPU, 32 GB RAM, SSD takes approximately 25 minutes). Note that compilation will need over 1 GB of memory per virtual core the machine has. If the build fails with processes being killed, you might want to try reducing number of parallel jobs, for example: `CARGO_BUILD_JOBS=8 make neard`.

After the neard compiled, the Near local chain can be started with:

./target/release/neard --home ~/.near init --chain-id localnet
./target/release/neard --home ~/.near run

Aurora Engine: build

Aurora is an Ethereum Virtual Machine (EVM) project built on the NEAR Protocol, that provides a solution for developers to deploy their apps on an Ethereum-compatible, high-throughput, scalable and future-safe platform, with low transaction costs for their users. Engine is the Aurora's implementation for it.

git clone && cd aurora-engine/

For further builds and tests, one of the following profiles should be selected:

  • mainnet, suitable for mainnet.
  • testnet, suitable for testnet.
  • local, suitable for local development.
  • custom, suitable for custom environments, see note below.

Building the engine and contracts

To build the binaries there are a few commands to do such following the format.

The current available build tasks are:

  • default, does not need to be specified, runs build. Requires a --profile argument.
  • build, builds main engine smart contract and produces the aurora-<profile>.wasm in the bin folder. Requires a --profile argument.
  • build-test, a special version of smart contract which is used in the tests. Requires a --profile argument.
  • build-contracts, builds all the ETH contracts.
  • build-docker, builds the aurora-<profile>.wasm in the bin folder using docker build environment. The purpose of this task is to produce reproducible binaries.

For example, the following will build the mainnet release binary of the smart contract:

cargo make --profile mainnet build

Aurora Engine: running unit & integration tests

To run tests, there are a few cargo make tasks we can run:

  • test, tests the whole cargo workspace and ETH contracts. Requires a --profile argument.
  • test-workspace, tests only the cargo workspace.
  • test-contracts, tests only the contracts.

For example, the following will test the whole workspace and ETH contracts:

cargo make --profile mainnet test

Aurora Engine: running checks & lints

To run lints and checks, the following tasks are available:

  • check, checks the format, clippy and ETH contracts.
  • check-contracts, runs yarn lints on the ETH contracts.
  • check-fmt, checks the workspace Rust format only.
  • check-clippy, checks the Rust workspace with clippy only.

For example the following command will run the checks. profile is not required here:

cargo make check

Aurora Engine: cleanup

To clean up the workspace, the following tasks are available:

  • clean, cleans all built binaries and ETH contracts.
  • clean-cargo, cleans with cargo.
  • clean-contracts, cleans the ETH contracts.
  • clean-bin, cleans the binaries.

Additionally, there is also but not included in the clean task:

  • sweep, sweeps the set amount of days in the ENV, default at 30 days.

For example, the following command will clean everything. profile is not required:

cargo make clean

Deploy on a NEAR local chain

The compiled binary version of the Aurora Engine can be easily deployed on the NEAR local chain with the following commands:

nearup run localnet --home /tmp/localnet
aurora-cli --near-key-path /tmp/localnet/node0/validator_key.json create-account --account aurora.node0 --balance 100 > /tmp/localnet/aurora_key.json
aurora-cli --near-key-path /tmp/localnet/aurora_key.json deploy-aurora aurora-mainnet.wasm
aurora-cli --engine aurora.node0 --near-key-path /tmp/localnet/aurora_key.json init --chain-id 1313161556 --owner-id aurora.node0

Complied binaries are located in the ~/aurora-engine/bin/ directory.

  • 40% for critical issues
  • 30% for high issues
  • 15% for medium issues
  • 5% gas optimization issues

Read more: