Bug Bounty Vault Proposal by Hats Finance

TLDR:

This is a proposal for dForce to collaborate with Hats.finance, create a hacker/auditors incentive pool to protect the dForce smart contracts. The goal of the vault is to incentivize vulnerability disclosure for dForce smart contracts. Liquidity can be added permissionless and LPs will be rewarded with $HAT token once the liquidity mining program is launched.

Summary:

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable and continuous like dForce is.

Hats Finance:

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, hats.finance allows anyone to add liquidity to a smart bug bounty . Hackers can responsibly disclose vulnerabilities without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on hats), and are free of charge. The protocol will only charge a fee if an incident has been successfully mitigated, which would be way more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

Security underlies the technology of smart contracts; there isn’t such a thing as too much security in our space. We think Ethereum dapps should include our solution and others, like Immunefi. Having said that, we strongly believe the future of cybersecurity is incentivized. We aim to lead this agenda, by creating a decentralized bug bounty marketplace that will incentivize all of its participants.

The key advantage of Hats solution on the traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native token or yield bearing token of the project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity(taking risk) every depositor could farm $HATS tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of hacking.

Motivation

Project coverage:

  • 24\7 audits on your protocol with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of hacking
  • A disclosed vulnerability means no TVL\ TOKEN loss
  • Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.
  • Public relation regarding mitigated vulnerabilities and security becomes a strength of the project.
  • Attract more users that have high security requirements

Token value:

  • Token staked in vault → Token with higher security guarantees.
  • In the future one-sided yield farming based on $DF
  • Staking tokens in the Hat vaults reduces circulating token supply

Committee:

The main incentive of a committee to triage reports is the potential to rescue users funds and the protocols reputation. In addition, Hats has two incentive mechanisms in place in addition:

  • Each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward (default 5%) to the committee for triaging the issue and solving it in a responsible manner.
  • Each exploit claim is attached with ETH denominated fees. This fee is intended to prevent bad actors to use the reporting function to create spam reduce the exploit report spam and to incentivize report triage by committees. The fees are transferred to the Hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on-chain. Submission fees are currently set to 0 so only tx gas costs apply.

Project community \ Token holders:

  • Join the effort to secure the ecosystem of dForce.
  • Protect their $DF by depositing a portion of their $DF holding to the bug bounty vault to make their holding more secure. By doing that, depositors potentially get $HAT tokens (on liquidity mining program launch)
  • Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.

Hacker/Auditors:

  • Fungible funds - no need to move the funds into mixers
  • Incentivized by the big reward prize, less than what they could hack, but still a meaningful amount.
  • Play by black hat rules and get a white hat rewards.
  • Easier to disclose vulnerability than to exploit it
  • No KYC
  • Reputation and notoriety as a proficient hacker
  • Be good, do good for the ecosystem

Proposal action items:

  • Decide on collaboration with Hats.Finance
  • Choose and set up a committee
  • Vote for DAO participation amount (How much $DF will be used from the treasury)

Onboarding action items:

  • Choose committee: The committee is preferably the public multisig contract of dForce or another multisig with some of the same members.

  • Committee responsibility:

  • Triage auditors/hackers reports/claims(get back to the reporter in 12 hours).

  • Approve claims within a reasonable time frame (Max of 6 days)

  • Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)

  • Be responsive via its telegram group or discord channel.

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize is. A ballpark starting number at $0.1m-$1m for a critical bug will draw significant attention from potential hackers or auditors.

$DF deposit:

Vaults are opened with the native token of the project, with the one token - per vault (bug bounty) mechanism. Therefore the community has to select one token to bootstrap their bounty, be it $DF. It means that the rewards to security experts/hackers after a responsible disclosure will be in $DF token. In the next few weeks, we will introduce the multiple-token options, where the dForce community will also be able to deposit the other asset DF, wETH, or stable coins.

In the future when the $HAT token will be live, depositors in the bounty vaults will be potentially able to claim the $HAT token. Anyone can join the security efforts of their beloved protocol for the first time in the crypto ecosystem. Decentralizing the traditional bug bounty will create a new way of responsibility/success sharing and a new level of trust between the community and the protocol.

Concluding Remarks

At Hats.finance, we envision a future in which the security marketplace is a standard for the crypto ecosystem. Considering how much dForce cares about the security of the network and its operations, it is beyond any doubt that a bounty on Hats.finance will draw more attensionwhite hat hackers and auditors to the smart contracts of dForce. Accordingly, each scrutiny will contribute to the safety and security of dForce.

References

We would love to see the discussion going in detail and get feedback on the proposal.

Thank you!

4 Likes

dForce already run bounty program on immunefi, which has a very comprehensive whitehat networks, how could you attract a bigger whitehat community

2 Likes

Its perfectly okay to have bounties both on Hats Finance, ImmuneFi and others. Hats Finance is an additional channel for security researchers to reach out to you which can be created for free. Only if the protocol helped to mitigate an incident a share of the payout will be retained by the protocol. On the other hand, Hats Finance enables the community participation and incentivization to the security efforts of the decentralized projects. Let’s assume that you create a bounty of equal amount on Hats Finance and once the community members contribute to the vault, the bounty amount on Hats Finance will surely be more than the one on ImmuneFi. A higher bounty will draw more security experts’ attention to your smart contracts. Additionally, the community is incentivized to contribute to the bug bounty vault by farming $HAT yields ($HAT token is not live yet).

1 Like

Hey dforce members,
My name is Ofir, from the Hats.finance growth team, great to be here!

Hats Finance adds a collaborative approach to bug bounties by allowing protocol participants to become protectors of the chain. Community-owned bug bounties allow anyone to add liquidity to bug bounties, which contributes to the security and longevity of the crypto ecosystem. This adds a scalable aspect to bug bounties, in which rewards grow with the project’s success, token appreciation, and users’ trust. Community-owned bug bounties are transparent due to their permissioness and on-chain resolution capabilities.

I would love to answer questions about dforce <> Hats collaboration, please tag me.

1 Like