Bug Bounty Vault Proposal by Hats Finance

Governance General Discussion
1

Summary

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous like Nation is.

This is a proposal for Nation to collaborate with Hats.finance to create an on-chain, free, and permissionless incentives pool for hackers/auditors to protect the Nation smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Nation. Liquidity can be added (with $NATION and yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

Motivation

Project coverage:

  • Hats Finance provides an on-chain and free protocol for bug bounty programs.
  • A non-stop audit bounty with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of exploiting the project
  • A disclosed vulnerability mitigates any TVL\ TOKEN loss
  • Permissionless vault — token holders and the protocol community can deposit or withdraw permissionless at any time.
  • Public relation regarding mitigated vulnerabilities and security becomes a strength of the project.
  • Attract more users that have high security requirements

Hats Finance

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

The key advantage of Hats solution compared to traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity(taking risk) every depositor could earn $HATS tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

Specification

In case that the proposal gets accepted, Nation DAO is expected to

1- Choose and set up a committee

2- Vote on the amount the DAO will contribute to the bug bounty program (How much $NATION or yield bearing assets to be used from the treasury for the initial deposit)

Onboarding action items:

  • Choosing a committee: The committee is preferably the public multisig contract of Nation or a multisig specifically set up to manage the bounty program.
  • The Committees responsibility:
    • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
    • Approve claims within a reasonable time frame (Max. of 6 days)
    • Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)

Concluding Remarks

At Hats.finance, we envision a future in which a security marketplace acts as permissionless infrastructure for the crypto ecosystem. Considering how much Nation cares about the security of the network and its operations, it is beyond any doubt that a bounty on Hats.finance will draw more attention from the white hat hackers and auditors to the smart contracts of Nation. Accordingly, each scrutiny will contribute to the safety and security of Nation.

References

We would love to see the discussion going in detail and get feedback on the proposal.

Thank you!

4 Likes
2

Hey, Nation3 community, my name is Ofir from the Hats growth team.
I would love to hear your thoughts about the on-chain bug bounty on Hats.
Please tag me for any questions you have.

1 Like
3

Hi! This is really cool (been a big believer something like this needs to exist since 2018 or so), but I believe it’s too early for Nation3 to invest any time into looking into it.

I think it would be more relevant in 3-6 months after Nation3 Court gets some traction!

2 Likes
4

Hey @luis! Much appreciated for the comment and your support.

I was just wondering the reason why think its too early for Nation3 to have a bug bounty. Let me highlight that it doesnt require any additional time or capacity from your side to create a bounty on Hats protocol. Its simply like filling out a form :slight_smile:

Additionally, we have recently initiated an Airdrop Machine (similar to the one Optimism used) in order to fill the gap until our TGE. Accordingly, both Nation3 DAO and your community members who deposit to your vault will be able to farm future $HAT tokens and these tokens will be sent after our TGE. Since, Nation3 DAO will very probably be eligible for a good amount of $HAT tokens as a DAO, it would be really nice to see you guys in our future DAO.

5

In general it would require some time for the community to assess the quality of the project and decide how much to stake, who is the committee who will manage it, and so on.

It’s a very interesting project and I think it would be useful down the road, but I do think that right now Nation3 needs to be laser focused if we are to succeed.

2 Likes
6

Aight, thanks for the clarification @luis! I will confer back in 4-6 months hopefully :slight_smile:

1 Like
7

Hey @luis and Nation3 fam! I wish you all a happy new year. I was wondering it’s a good time to check back on our proposal :slight_smile:

8

TVL is still $0 (we haven’t launched), so it probably makes more sense once we have more TVL (in a few months).

9

Thanks for the update. I will check back again :slight_smile: