DXdao <> Hats collaboration pt.1

Overview

Hats is a decentralized cybersecurity incentive network. Governed by its community of stakeholders – Hackers, Projects, and Token holders to create an incentivized market for protocol security and responsible disclosure.
We are creating a scalable model that utilizes the development culture of Ethereum to help secure it.

This is a proposal (discussion) for a collaboration between DXdao and Hats. DXdao will become one of the first organizations that secure their smart contracts using the Hats framework.

This is an introduction to hats, and an introduction to the hats mechanics, we will release more info soon, but feel free to ask questions or give any feedback you may have here or in our Telegram group

Background

We have been designing, iterating, and actively building hats for the past 6 months. We will launch v1 (fingers crossed) in mid May after a few security audits.
The idea for hats is the result of over 6 years of software development in decentralized systems and smart contracts, and a solution to personal problems we have faced as a senior R&D, CTO, and communication managers when launching a mainnet fund-holding contracts.

How will the collaboration work

  • Hats governance will create a bounty vault of DXD tokens, This farms hats in the process. Security Farming β„’
  • The DXD vault will serve as a continuous bounty that scales with the market cap of DXD and DXdao.
  • The vault is a continuous incentive for hackers to actively look for bugs and exploits in DXdao smart contracts and report on it.
  • This creates an additional utility for the DXD token to secure the DXdao smart contracts.

How does Hats work

  • In the case of a detected exploit, the hacker will disclose the vulnerability to the DXdao committee, with an on-chain hash proof of the disclosure.
  • The committee, elected by the DXdao will be composed of DXdao core devs, security researchers, and white hat hackers.
  • The committee is responsible to approve or deny the vulnerability submitted by the hacker
  • If approved, and according to the severity, a predetermined amount of tokens will be released to the hacker as a reward.

Next steps

First – We are happy to continue the discussion and answer any questions people may have here in the forum comments below.

Practical next steps

  1. Choose a committee composed of N addresses or one of the DXDao Multisigs.
    More information on the community setup procedure can be found here
  2. Parameters
    All below parameters are examples
  • Set severity levels

    • Critical – up to 70% of the vault
    • High – Up to 50% of the vault
    • Medium up to 20% of the vault
    • Low up to 5% of the vault
    • Audit request (Custom
  • List of contract address

  • Priority / Vulnerabilities

  • Logic, Governance, Economic, ddos, Oracle manipulation, Dependencies, re-entrancy, Cryptography issues……

  • Out of scope

    • Attacks that have already been exploited
    • Access to leaked keys/credentials
    • Access to privileged addresses (governance, strategist)
    • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
    • Basic economic governance attacks (e.g. 51% attack)
    • Lack of liquidity
    • Best practice critiques
    • Sybil attacks

Would love to get the discussion going and get feedback on the proposal.

Thank you!

4 Likes