DXdao community <> Hats.finance collaboration - Next step

This is a proposal to move forward with the DXdao community <> Hats collaboration, to the second step after passing the collaboration proposal.<link to voting>.

  • Deposit of 1820 DXD (roughly $500,000). We believe this is a sufficient sum to attract developers, auditors, and hackers to re the NXM smart contracts
  • The deposit will incentivize responsible disclosure of vulnerabilities for the Dxdao contracts and products. At any point the dxdao community/governance can decide to withdraw the DXD from the vault.
  • This proposal will be on the contribution reward and not the generic scheme. Funds will be sent to the Committee multisig and from there deposited into the vault. This is because of the delayed withdrawal mechanism Hats implemented, which will cause issues to do directly from the DAO. This should be solved at a later stage.

There are two ways of executing the proposal

  1. One proposal for 500,000 worth of DXD (Roughly 1820 DXD)
  2. Three separate proposals for $166.6k each (Roughly 605 DXD)

Once Hats PPM (Protocol Protection Mining) program is live, the deposits into the DXD vault will also automatically farm Hats tokens in return for protecting the Dxdao protocol. This provides additional upside to dxdao and it’s community members who participate in the protection mining.

2 Likes

$500,000 is a heck of a lot, maybe even more than the cost would be if there was an exploit!

Why not start with a smaller but still significant amount, I.E., $50,000? And cap the payout at some percentage of what the cost would be if an exploit was found, so that DXdao isn’t paying half a million dollars for a vulnerability that would’ve only cost $10K if it was exploited, for example.

5 Likes

Hey @Caden, thank you for the time you take to check the proposal.

The advantage of a bug bounty program is it doesn’t cost anything unless there is a critical disclosure that would have been a lot more expensive if it wasn’t for the program in the first place.

We understand this might be a big amount and it can be decreased, you can also consider an incremental funding schedule, and not everything in one go. We could do a monthly deposit of $125k over 4 months.

This amount can be withdrawn back to the community fund at any time, this is not a grant or funding request, but a bounty to protect the contracts.

Bear in mind that funds will be released from the vault only due to a vulnerability disclosure. The upside from fixing an issue is drastically more valuable than the financial face value of the DXD tokens that will be deposited.

As for the severities, the DXdao vault committee can determine different prizes to different severities. it’s flexible, changeable, and controlled by the DXdao committee.

I hope it answers your concerns.

If anyone from the DXdao community has any further questions or concerns, I would be more than happy to answer and address them.

4 Likes

We could possibly calculate severity using a model similar to that of the OWASP risk rating based on impact + likelihood, just like the Ethereum Foundation.


4 Likes

Hi @Arhat
We can also share this link for more information about calculating the severity:
.
https://docs.hackerone.com/programs/environmental-score.html

Thx.
Ofir

1 Like

Hey all,
Short update - We are offering a $50,000 USDC bug bounty program on Rinkeby for responsible disclosure of vulnerabilities on Hats Dapp.
Learn more: The mission- hack HATs. Decentralized cybersecurity bounty… | by Hats | Jul, 2021 | Medium

1 Like