Audit Competition Proposal for xERC20 and Lockbox Smart Contracts by Hats Finance

General
#1

Summary

This is a proposal for DappRadar to conduct an audit competition for its xERC20 and Lockbox smart contracts on Hats Protocol.

Abstract

Hats audit competitions are revolutionizing the world of Web3 security, offering a dynamic, cost-effective, and time-efficient solution for smart contract auditing. By transforming the traditional auditing approach, they ensure enhanced security through a community-driven process. With audit competitions, you retain full control over your budget, attract top auditing talent, and gain valuable insights from the Web3 community, all while preparing your project for a robust and secure launch.

Hats audit competitions work on a simple yet powerful model — rewarding results, not efforts. You, as a project owner, allocate budgets according to the severity level of potential vulnerabilities. The budget is retained if no flaws are found. It’s a model that ensures you pay only for value added to your project, giving you confidence in your investment.

These competitions typically draw over 300 skilled auditors who partake in a race against time, diligently hunting for bugs to ensure your project’s safety. The model operates on a first-come, first-served basis, thus encouraging quick and quality submissions. Each successful auditor is rewarded for their findings, fostering a competitive environment that brings out the best in auditors.

In addition, the evaluation process is designed for efficiency. With rewards given to the first submitter, duplicate submissions are avoided. This not only streamlines the process but also saves valuable time.

Hats audit competition mechanism is unique and no one in the security ecosystem offers a better approach, by time and budget, than Hats audit competition product.

Hats Finance started to offer the audit competition product to its partners in February and many audit competitions have been instrumental in demonstrating the efficiency of our product since then. See the table below for reference:

Project Audited by Total Bounty ($) Paid ($) Findings
VMEX Finance yAcademy 67.5k 45k 2 high 9 low 2 gas saving
Raft Finance Trail of Bits 80k 64k 3 high 4 medium 11 low 1 gas saving
Gravita Protocol Solidity & Omniscia 105k 30k 3 medium 11 low
Lodestar Finance Solidity 30k 14.1k 18 medium 2 gas saving
Fuji Finance NA 30k 30k 3 high 6 medium 21 low 2 gas saving
Hats Finance Zokyo & Hexen & G0 Group 40k 31k 1 high 6 low

Motivation

Briefly; we have created a no-brainer audit competition product for projects to do before launch because there is no upfront fee or additional cost and 100% payment by results. Imagine that DappRadar conducts an audit competition with a bounty of $50k on Hats Protocol and allocates $30k for high severity, $18k for medium severity, $1k for low severity and $1k for gas optimization, respectively. Let’s explore the options:

  1. No valid submission: DappRadar does not do any payments and walk away with $50k
  2. Only low severity findings: DappRadar only pays $1k, allocated for low severity, and withdraws the remaining $49k
  3. Only low and medium severity findings: DappRadar pays $19k and withdraws the remaining $31k.

Projects can also put a cap on each high severity finding. For example, if a project allocates $60k for high severity and caps each high severity finding with $15k, there have to be at least 4 high severity findings to bounty out all the amount allocated for high severity ($60k).

Benefits

  • 100% payment by results
  • Hats Finance is B2B free (Hats Finance takes 20% from the payout and therefore there is no additional cost for DappRadar)
  • DappRadar can easily set up an audit competition with a 7 days notice
  • DappRadar will get the vulnerability submissions in real time and can start fixing the issues in the process
  • DappRadar can attract the wider Web3 security community to get involved with xERC20 and Lockbox with the audit competition
  • DappRadar will align with the essence of Web3 by deploying an on-chain audit competition

Drawbacks

There are not any drawbacks for DappRadar.

3 Likes
[DCP-15] Token Allocation and Bridging Service for Resuming ETH <> BNB Chain Operations
#2

we already had a audit haven’t we? and that still didn’t stop tokens from being lost as such?

As for drawbacks with there is not any for dappradar is a red flag in my eyes cuz we will be paying for this service.

Hurmm how about u give us 1 example of why we should use the audit thing by showing us 1 bug that we have is that a possibility?

#3

Hey @madeafterdeath! Thanks a lot for taking the time to reflect!

I think there is a new audit need according to this proposal. That’s the reason behind my proposal.

Since our product is 100% payment by results, if nothing is found, no payment will be made anyway. You can just be happy that more than 1k security researchers checked DappRadar contracts for free and could not find anything :slight_smile:

1 Like
#4

true… and i didn’t know we would need another audit. I guess that would be up to team to sort out that
was a good time to throw up a proposal for it tho on your side =)
Thanks.

1 Like
#5

It’s great to see community initiatives coming directly from our community and through our forums.

However, for it to be considered a legitimate Proposal in accordance with our governance process:

  • The Forum proposal needs to be active for 7 days
  • Have the correct title, including [DCP-#] and proposal number
  • Include a For/Against poll :point_left:t6: :point_left:t6: :point_left:t6:
  • Minimum 20 votes and have more “For” votes than “Against”

You can read more here:

1 Like
#6

Now onto the merits of the Proposal.

The Engineering team led @michael-dappradar is already assessing the audit managed by Connext. We’re waiting for the team to give the green light there before we move forward.

That being said, if there are still question marks after the review, additional third-party audits would be great.

I’m on the fence as to whether an audit by a tight team of auditing professionals is better than a group of loosely associated auditors because otherwise it just feels like a time-bound bounty event.

But crowd-sourced security audits can be very helpful, so keeping an eye on the community sentiment towards this, for both this and future initiatives.

#7

Hey @vandynathan! Thanks a lot for the comments!

Can you please guide me regarding how to create a pool please?

#8

I think that the chart I shared above in the proposal should give a good sense that even top-tier auditing firms miss critical vulnerabilities from time to time.

It’s definitely a lot better that more than 1k security researchers checking your contracts instead of 2-3 people :slight_smile:

1 Like
#9

1. When you’re editing the Proposal you should find a cog on the far right.

Screenshot 2023-09-12 at 23.26.29
Screenshot 2023-09-12 at 23.26.291412×76 3.54 KB

2. When you click on the cog, it will have an option called “Build Poll”,

Screenshot 2023-09-12 at 23.33.00

3. Click on that to make a single-choice poll: FOR or AGAINST your proposal.

Screenshot 2023-09-12 at 23.32.35
Screenshot 2023-09-12 at 23.32.351192×670 21.8 KB

1 Like
#10

Personally, I definitely see the benefits but I’ll let the more technical members speak their mind.

1 Like
#11

GM GM :slight_smile:

There were already 2 audits conducted on these contracts:

  1. Connext did their own audit on the Smart Contracts that they provided to us
  2. DappRadar (we) did another audit after we added the Reentrancy Guard to the contracts to be even more safe. See the audit result here (PDF): DappRadar_xTokens_Final_Audit_Report.pdf - Google Drive

We deployed the Smart Contacts yesterday after the second audit showed that we fixed 100% of all findings (even the low and informational - check page 15).

You can also compare the deployed smart contracts code with the commit the auditor reviewed and you will see it’s exactly the same code that has been positively audited.
The latest audit has been done on this commit (you’ll also find that link in the audit PDF on page 17): https://github.com/dappradar/xTokens/tree/92faf3b1994fad8536aeac3592da3eea0edd521a/solidity/contracts

We already took more measures than normal to make this as safe as possible and I think doing another expensive audit just costs the DAO more money than necessary.

But of course that is only my opinion (VP Engineering at DappRadar.)
What do you think?

1 Like
#12

Hey @michael-dappradar! Thanks a lot for the comprehensive answer.

The Hats audit competition is for pre-deployed contracts to mitigate risks before launch. Since you already launched yesterday, i think our bug bounty solution would be a better option. You can fund the bug bounty with $RADAR token and subject payouts to a vesting.

What would be your take to propose an on-chain bug bounty vault by Hats Finance? :slight_smile:

1 Like
#13

think answers gonna be no but we got to move to V3 eth on Shushi swap and we will also be moving to other chains in the future. so like Vandy said make a poll. Personally id agree with making a vault with radar tokens as a bug bounty reward program from radar as we move onto more chains we can do audits how ever team wants but having someone double check them is always good tho?

So make another discussion page with a poll and let people know what they are voting for as simple as possible and hopefully u will get enough votes to know what’s going off and people add other suggestions ect with what michael just said right now tho id expect the answer to be no which is why right now i agree with truffe in making a vault for any bug finds in the future. (that have anything to do with radar token)

1 Like
#14

Brilliant! I really appreciate all the honest opinions. I will create a new bug bounty proposal with a poll today, thanks :slight_smile:

1 Like
#15

Hey @vandynathan, @madeafterdeath and @michael-dappradar!

I have modified the proposal in accordance with the feedback and shared a new one with a poll!

Looking forward to your feedback :slight_smile:

2 Likes