[DCP-17] Bug Bounty Vault Proposal by Hats Finance

Summary

This is a proposal for DappRadar to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the DappRadar smart contracts.

Abstract

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like DappRadar is.

This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the DappRadar smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for DappRadar. Liquidity can be added (with $RADAR and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

Motivation

Hats.finance is an on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

On-chain submission:

With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.

The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.

The tx fee acts as a spam filter and can be set to a higher value (in the future).

The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.

Next Steps

In case that the proposal gets accepted, DappRadar is expected to:

1- Choose and set up a committee

2- Vote for DAO participation amount

Onboarding action items:

  • Choosing a committee: The committee is preferably the public multisig contract of DappRadar or a multisig specifically set up to manage the bounty program.
  • The Committees responsibility:
    • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
    • Approve claims within a reasonable time frame (Max. of 6 days)
    • Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)

Rationale

The key advantage of Hats solution compared to traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity (taking risk) every depositor could earn $HAT tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

Additional advantages of deployment of the existing DappRadar bug bounty program on Hats Protocol:

  • DappRadar can reach out to many more security researchers (aka white hat hackers) with a bounty on Hats protocol and each scrutiny will make DappRadar safer.
  • DappRadar can fund the bug bounty vault on Hats with its own native token ($RADAR or yield bearing token)
  • The bounty reward for the submitter is not paid at once to reduce the price pressure on the project token.

Since DappRadar DAO will be farming $HAT tokens with its bounty (after TGE), it’s a cost negative opportunity for DappRadar DAO.

Key Examples

A security researcher recently found a critical severity within Premia Finance’s staking contracts and got rewarded $70k for his responsible disclosure:

https://twitter.com/HatsFinance/status/1663243357160890369

In one of the recent audit competitions, the security researchers could find 3 critical severities in Raft Finance’s code in a 7 days long audit contest even if the project went under an extensive audit by one of the top-tier auditing firms in the space:

Benefits

  • Having an on-going security layer for DappRadar smart contracts
  • Interacting with wider security researchers community to increase the DappRadar security collectively
  • Creating a security-oriented utility for $RADAR token
  • Attracting security-minded retail and/or institutional DeFi users to use DappRadar products
  • Marketing on the security initiatives by DappRadar

Drawbacks

There are no foreseeable drawbacks for DappRadar

  • FOR: Set up an on-chain bug bounty vault funded with $RADAR on Hats Protocol to create an ongoing security layer over DappRadar smart contracts
  • AGAINST: Do not set up an on-chain bug bounty vault on Hats Protocol
0 voters
3 Likes

Liquidity can be added (with $RADAR and/or yield-bearing tokens) without permission and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

Could we have more information on the $hat token cuz i looked on token sniffer and it didn’t look good.

Hey @madeafterdeath! Our token is not live yet (unfortunately, we have been delaying the TGE since May 2022 due to the market conditions) :slight_smile:

1 Like

well obv u can see why we have to move with caution on this? you have done other company’s? from what i seen of the hats token Its had liquidity and drained it. and the owner of the token is holding 66% of the token supply? again that does not look good lol.

what im gonna do at moment is delay my vote because this is beyond my IQ but there is smarter people on the RADAR team & in the community who will know what this proposal is, And i hope they bring up any issues they have with this before i vote for. We need to see the $hat token details tho cuz from what i have seen bad.

1 Like

To be honest, I have no idea what you are talking about. Our token has never been live.

image

if i was to type radar i get examples of people who have created radar tokens trying to pretend to be the radar token cuz they pro scammers. (your token isnt even live you say but when i look up $hat i get a couple of rug pulled scam tokens)

I get it but i do not think that we can do anything about those scammers. Yet, feel free to ask anyone of our partners to check on whether our token has ever been live or not. You can find the existing bug bounty vaults here: Web3 Audit Competitions and Bug Bounties | HatsFinance

2 Likes

I voted no. Sorry but the second I understood your token isn’t launched yet that was all I needed to hear. $RADAR is fragile enough as is and in my own personal opinion I don’t think it should be cooperating with a token that hasn’t shown some credentials or history on the market yet.

That’s putting aside what @madeafterdeath is talking about (i.e. untested team/project legitimary) which I consider a separate but equally important matter.

1 Like

The CTO and ideator of Hats Finance (Shay Zluf) was part of Prysmatic Labs, writing Ethereum 2.0 client side. What do you mean by untested team?

1 Like

This poll has been closed as it failed to reach the quorum of 20 votes in the allotted time. cc: OP @Fav_truffe

1 Like