'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Audit program 
Triaged by HackenProofSomnia Audit Contest : Program info
Somnia Audit Contest
Company: Somnia
KYC required POC required Somnia is a high-performance, cost-efficient EVM-compatible Layer 1 blockchain capable of processing over 1,000,000 transactions per second (TPS) with sub-second finality. It is suitable for serving millions of users and building real-time mass-consumer applications like games, social applications, metaverses, and more, all fully on-chain.
| Target | Type | Severity |
|---|---|---|
https://github.com/hackenproof-public/somnia  Copy  Copied
| Smart Contract | Critical |
Copied - Participation: Invite-only - https://discord.gg/g7u4afaYu7
- KYC Required
Focus Area
IN-SCOPE VULNERABILITIES
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Stealing or loss of funds
- Unauthorized transaction
- Transaction manipulation
- Price manipulation
- Fee payment bypass
- Balance manipulation
- Contracts execution flows
- Consensus flaws
- Peer-to-peer network flaws
- Cryptographic flaws
NOTE: its important to run all tests on
NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh(check setup guide) All non-mainnet issues will be considered as "Out of scope"
OUT OF SCOPE
- Network-level DoS
- Issues arising solely due to Somnia’s intentional divergence from Ethereum gas cost or call semantics are out of scope.
- By design price increases under high load are not in scope
- All features or code paths not enabled in the
mainnetormainnet-smallconfiguration - The protocol smart contracts are out of scope
Program Rules
The following activities are prohibited by this contest event:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against Somnia employees and/or customers
- Any denial of service attacks
- Public disclosure of an unpatched vulnerability in an embargoed bounty
- Make every effort not to damage or restrict the availability of products, services, or infrastructure
- Avoid compromising any personal data, interruption, or degradation of any service
- Localize all tests to your accounts
- Perform testing only within the scope
- In case you find chain vulnerabilities we’ll pay only for vulnerability with the highest severity.
- Any details of found vulnerabilities must not be communicated to anyone who is not a HackenProof Team or an authorized employee of Somnia Company without appropriate permission
Discussion
We use Discord as official communication channel: https://discord.gg/ Join the channel, and create #support ticket to be added for conversation.
Audit report
Hacken - July 2025
Disclosure Guidelines
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization
- No vulnerability disclosure, including partial is allowed for the moment.
- Please do NOT publish/discuss bugs
Eligibility and Coordinated Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through hackenproof.com
- You must send a clear textual description of the report along with steps to reproduce the issue, include attachments such as screenshots or proof of concept code as necessary.
- You must not be a former or current employee of us or one of its contractor.
- Provide detailed but to-the point reproduction steps
Rewards Distribution
Total Prize Pool: $300k USDC
- 10k is a pot which will be distributed if at least 1 Low severity issue discovered
- 40k is a pot which will be distributed if at least 1 Medium severity issue discovered
- 100k is a pot which will be distributed if at least 1 High severity issue discovered
- Additional 150k will be unlocked for critical severity issues discovered: For the purpose of this contest, a critical vulnerability is defined as an issue that enables the theft of substantial user funds or protocol assets.
- Note: 10% from each unlocked severity pot will be retained by the platform as a service fee.
Please note:
Minor or theoretical loss vectors — such as small rounding errors — do not qualify as critical, even if they technically result in direct fund movement. This definition is consistent with HackenProof’s Blockchain protocol Vulnerability Classification, and final decisions on severity will be made in collaboration with the project team.
Consensys specification issues
All critical issues related to consensys specification, will be capped by $80k in HAI tokens as a part of DualDefense program
We encourage researchers to submit all impactful findings, but only those meeting the strict “substantial fund theft” threshold will trigger the bonus payout.
Reward Splitting for Duplicate Findings If the same issue is reported by multiple researchers, the reward will be split using the following formula:
Final Reward = Severity Weight × (0.9 ^ (N - 1)) / N
Where:
-
Severity Weight =
- Low → 20
- Medium → 30
- High → 50
-
N = number of researchers who submitted the same valid issue
-
Rewards are normalized against the total contest allocation and severity budget
Example (for a High severity issue with a weight of 50):
- 1 researcher reports → receives 50 points
- 2 researchers report → each receives ≈ 22.5 points
- 3 researchers report → each receives ≈ 15 points
This system encourages early discovery and rewards uniqueness while ensuring all valid reporters are fairly acknowledged.
Setup Guide
Core Dev Installations
The following are installations required to start building and developing on Somnia.
- Install Bazelisk. We highly recommend using Bazelisk over standard Bazel to ensure that your system is always on the correct version of Bazel and Clang.
./tools/install_bazelisk.sh
- Install additional Bazel buildtools. This is required to run our linter script, among other things.
./tools/install_buildtools.sh
Ensure that "$HOME/.local/bin" is on your path. This should be default on most Linux distributions, but if not you can add the following > line at the end of your ~/.bashrc file:
export PATH="${HOME}/.local/bin:${PATH}"
- Install remaining code dependencies.
sudo ./tools/install_dependencies.sh
- Run a local mainnet
NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh
If you are running on MacOS:
# Install Docker Desktop for Mac
brew install --cask docker
# Clone the repository
git clone <repository-url>
cd somnia
# Build and run using Docker with x86_64 emulation
docker build -f .github/Dockerfile --platform linux/amd64 -t somnia .
docker run -it --platform linux/amd64 somnia
# Inside of container
NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh
Duration 
Rewards '%3e%3cpath%20d='M3%2021H24V24H0V0H3V21ZM6.75%2019.5C6.44587%2019.5006%206.14477%2019.4396%205.8649%2019.3205C5.58502%2019.2015%205.33219%2019.027%205.12167%2018.8075C4.91115%2018.588%204.74731%2018.3281%204.64006%2018.0435C4.5328%2017.7589%204.48436%2017.4555%204.49766%2017.1517C4.51095%2016.8478%204.58571%2016.5498%204.71741%2016.2757C4.84911%2016.0015%205.03502%2015.7569%205.2639%2015.5567C5.49279%2015.3564%205.7599%2015.2046%206.0491%2015.1105C6.3383%2015.0164%206.64358%2014.9818%206.9465%2015.009L9.3645%2010.9785C9.1434%2010.639%209.0181%2010.246%209.00182%209.84115C8.98554%209.43629%209.07888%209.03455%209.272%208.67835C9.46512%208.32215%209.75084%208.02471%2010.099%207.81743C10.4472%207.61016%2010.8448%207.50074%2011.25%207.50074C11.6552%207.50074%2012.0528%207.61016%2012.401%207.81743C12.7492%208.02471%2013.0349%208.32215%2013.228%208.67835C13.4211%209.03455%2013.5145%209.43629%2013.4982%209.84115C13.4819%2010.246%2013.3566%2010.639%2013.1355%2010.9785L15.5535%2015.009C15.6682%2014.9987%2015.7836%2014.9977%2015.8985%2015.006L19.8915%208.019C19.6046%207.59868%2019.4686%207.0935%2019.5058%206.58594C19.543%206.07837%2019.7511%205.59841%2020.0963%205.22442C20.4415%204.85043%2020.9032%204.60449%2021.4062%204.52678C21.9091%204.44906%2022.4236%204.54415%2022.8655%204.79653C23.3075%205.0489%2023.6508%205.44364%2023.8395%205.91631C24.0281%206.38897%2024.051%206.91163%2023.9043%207.39896C23.7576%207.88628%2023.45%208.30948%2023.0317%208.59945C22.6135%208.88942%2022.1093%209.02903%2021.6015%208.9955L17.6085%2015.9825C17.8379%2016.319%2017.9717%2016.7114%2017.9956%2017.118C18.0195%2017.5245%2017.9326%2017.9299%2017.7442%2018.291C17.5558%2018.652%2017.2729%2018.9552%2016.9258%2019.1681C16.5786%2019.381%2016.1802%2019.4957%2015.7729%2019.4999C15.3657%2019.5041%2014.965%2019.3978%2014.6134%2019.1922C14.2619%2018.9865%2013.9728%2018.6893%2013.7769%2018.3323C13.581%2017.9753%2013.4857%2017.5717%2013.5011%2017.1648C13.5165%2016.7578%2013.6421%2016.3627%2013.8645%2016.0215L11.4465%2011.991C11.3158%2012.0031%2011.1842%2012.0031%2011.0535%2011.991L8.6355%2016.0215C8.85679%2016.3611%208.98226%2016.7541%208.99864%2017.159C9.01503%2017.564%208.92172%2017.9659%208.72858%2018.3222C8.53544%2018.6785%208.24963%2018.9761%207.90137%2019.1834C7.5531%2019.3907%207.1553%2019.5001%206.75%2019.5Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2777_6507'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Stats 
Types'%3e%3cpath%20d='M16%208.10685L12.0364%2013.0212L10.5818%2012.0459L13.7745%208.10685L10.5818%204.16784L12.0364%203.19254L16%208.10685ZM5.69273%204.16784L3.96364%203.19254L0%208.10685L3.96364%2013.0212L5.69273%2012.0459L2.5%208.10685L5.69273%204.16784ZM5.5%2015.1069L7.23091%2015.6069L10.9909%201L9.26%200.5L5.5%2015.1069Z'%20fill='%23050505'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2689_5375'%3e%3crect%20width='16'%20height='16'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Languages
Project types
Hackers (46) View all
