Bug Bounty Vault Proposal by Hats Finance

Aragon <> Hats.finance: Proactive security for smart contract

This is a proposal for Aragon to collaborate with Hats.finance to create a hacker/auditors incentive pool to protect the Aragon contracts.

The goal of the vault is to incentivize vulnerability disclosure for Aragon smart contracts while farming rewards in the form of hats tokens.

Overview

Hats.finance is a proactive incentive protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.

Hats creates scalable security vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, NFT artists have pledged assistance and will create numerous unique NFTs that will be minted for Hackers or Auditors who responsively disclose vulnerabilities.

Hats.Finance offers every participant in the Ethereum ecosystem the opportunity to have some skin in the game and create a more secure future for the users of #Ethereum.

Hats.finance mechanism:

  • Smart contracts are continuously offering a bounty in the form of their value or the value that is locked by them. Extracting this value in a malicious manner causes more harm to the ecosystem than the size of the extracted value.

  • Incentivize continuous audit for smart contracts

  • Hacks and exploits have an effect on the adoption of all smart contracts and the ecosystem itself. Ecosystem adoption is boosted when we can reduce this risk.

  • The future of the economy is being withheld by the forces who try to hack it. Hats.Finance incentivizes both parties to collaborate towards the success of the ecosystem.

Benefit:

Project coverage :

  • 24\7 audits on your protocol with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of hacking
  • A disclosed vulnerability means no TVL\ TOKEN loss
  • PR of vulnerability becomes a strength to the project.
  • Attract more users to the “strong and secure protocol”

Token value:

  • Token staked in vault → Token with higher security guarantees.
  • Another yield farming option.
  • One-sided yield farming based on your token

Committee:

The main incentive of a committee to triage reports is the potential to rescue user funds and protocol reputation. In addition, Hats has two incentive mechanisms in place:

  • Each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward (default 5%) to the committee for triaging the issue and solving it in a responsible manner.
  • Each exploit claim is attached with ETH denominated fees. This fee is intended to reduce the exploit report spam and incentivize report triage by committees. The fees are transferred to the hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on-chain.

Project community \ Token holders:

  • Join the effort to secure the ecosystem.
  • Financial incentive in the form of Yield farming (on liquidity mining program launch)
  • Protect their own project token by sacrificing a portion of their token holdings, to make their holding more secure. By doing that, get $HAT (on liquidity mining program launch)

Hacker/Auditors:

  • Fungible funds - no need to move the funds into mixers
  • Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
  • Play black hat rules and get a white hat attitude .
  • Easier to disclose vulnerability than to exploit it
  • No KYC
  • Reputation and notoriety as a proficient hacker
  • Be good, do good for the community

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize. A ballpark starting number at $0.1m-$1m for a critical bug will draw significant attention from potential hackers or auditors.

Hats audit and security measures:

Hats contracts has been audited by Zokyo and 2 more audits have been done internally. All issues have been fixed to the satisfaction of the auditors.Hats audit

Proposal action items:

  • Decide on Collaboration with Hats.Finance
  • Choose and set up a committee
  • Vote for DAO participation amount (How much $Token will be used from the treasury)

Onboarding action items:

  • Choose committee: Committee is preferably the existing Aragon Multisig.
  • Committee responsibility:
  1. Triage auditors/hackers reports/claims.
  2. Approve claims within a reasonable time frame (Max of 6 days)
  3. Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)
  4. Be responsive via its telegram bot.
  • DAO process: proposal \ Voting \ announcement
  • Dev team process: Committee setup
    • Share the PGP public keys - using Hats committee tools or else.
    • Share Twitter or Github accounts of the committee members
    • Share a link to the deployed contracts that will be covered under the program.
    • Share a Multisig address of the committee members - Rinkeby and Mainnet.
    • Committee due diligence: The token contract deployer to sign a message with etherscan
    • Hats governance sets emission rate to the Aragon vault.
  • Project and users deposit funds

Useful links:

Would love to get the discussion going and get feedback on the proposal.

Thank you!

2 Likes

Hey Aragon DAO members,
My name is Ofir, from the Hats.finance growth team.
It’s great to see the activity in the forum.
@Fav_truffe thank you for raising this topic and adding the proposal.

Hats.finance is a decentralized bug bounty protocol that allows anyone to add liquidity to a smart bug bounty while farming $HATS. Hackers can responsibly disclose vulnerabilities without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions, and do not cost anything unless there a vulnerability is discovered, which would be more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

I would love to answer questions about Aragon <> Hats collaboration, please tag me.

2 Likes

Tagging the Tech Comittee members @p4u @nivida @voronchuk

Also @ramon in regards to the exisiting bug bounty process

2 Likes

I like the idea in general, but the exact form of budgeting the bug bounties is a financial/political, not a technical question. As soon as only the security bugs are rewarded and provided compensation is enough to attract whitehat hackers I would support such a bug bounty program.

2 Likes

Hi @voronchuk, thanks for the response.
If you can, please explain what kind of compensation mechanism you do support so I can better understand and answer.

In our case, the Aragon committee setting up the bounty will get the ability to control the bounty and, therefore, the incentive for the hackers more precisely.
You can read more about the payout mechanism:

You can jump directly to paragraph 3 to learn how the payout to the hacker is determined.

1 Like

I read through your docs and I like the suggested system, is it also possible to put different cut-off values for high, moderate, and low vulnerabilities? Also, the ranking part is not fully clear, is it done by committee or some other way?

Hey @voronchuk, just to put this up front. The payout curve is one of the features coming with V2 in July. Currently, we only have a linear model.

In the design, we don’t include different cut-offs because you are already defining the severities. If you define a cut-off at $1m, a payout for a critical severity of 80%, and a medium severity of 60%, then we automatically calculated the cut-off for medium based on the 60%.

With “ranking” I assume you mean the triage and the decision on which severity level is selected. Yes, this is done by the committee. We provide guidelines on which severity should be selected and can even help to triage. It’s very specific from case to case what severity is the best fit. If either side (project, hacker, LPs) feel treated unfairly there is a decentral dispute resolution in place, that should find a fair solution.

What kind of decentralized dispute resolution do you have? Is it smth like Aragon Court?

1 Like

Hey, at the moment, the dispute resolution Is being carried out by
Hats DAO. We are working on the integration with Kleros court - and hopefully, we will have more news about it soon.

Sorry for going off-topic but would you be open to connecting and discussing if Aragon Court could be a good option for us? My Telegram Handle is @OxAngler (O as the letter, not the Number 0)

We are almost finished implementing the Kleros integration, but we are happy to learn about other solutions.

1 Like