Hats.finance - Proactive security for smart contract

Hi Everyone my name is Ofir, I’m the onboarding and community manager of Hats.Finance.

To continue the previous post discussed here: https://daotalk.org/t/dxdao-hats-collaboration-pt-1/2911
And our presentation in the Bizdev call here (starting at 35:00…): Youtube

We want to move forward and propose a full collaboration between DXdao and Hats.
This is a proposal for DXdao to collaborate with Hats to create hacker/auditors incentive pools to protect the DXdao contracts and product contracts.

DXdao will be one of the first Hat incentive vaults providing active protection to DXdao. The goal of the vault is to incentivize vulnerability disclosure for DXdao smart contracts while farming rewards in the form of hats tokens.

Overview

Hats.finance is a proactive incentive protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.

Hats create scalable security vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, prolific NFT artists have pledged assistance and will create numerous unique NFTs that will be minted specially for Hackers or Auditors that will responsively disclose vulnerabilities.

We offer to every participant in the ecosystem of Ethereum to have some skin in the game and create a more secure future for the users of #Ethereum.

Hats.finance mechanism:

*Smart contracts are continuously offering a bounty in the form of their value or the value that is locked by them. Extracting this value in a malicious manner causes more harm to the ecosystem than the size of the extracted value.

  • Incentivize continuous audit for smart contracts
  • Hack or exploits have an effect on the adoption of all smart contract projects and the ecosystem itself. Ecosystem adoption could be boosted if we could reduce this risk.
  • The future of the economy is being withheld by the forces who try to hack it. Hats.finance incentivizes both parties to collaborate towards the success of the ecosystem.

Benefit:

Project covered:

  • 24\7 audit on your protocol with a proactive approach that incentivizes the hacker to disclose the vulnerability instead of hacking
  • a vulnerability disclosed means no TVL\ TOKEN loss
  • PR of vulnerability becomes a strength to the project.
  • Attract more users to the “strong and secure protocol”

Token value:

  • Token staked in vault >> Token with higher security guaranties
  • Another yield farming option.
  • One-sided yield farming based on your token

Committee:

  • To be the first to know the vulnerability.
  • personally incentivized from the “claim fee”, and call to approve function - percentage from the prize.

Project community \ Token holders:

  • Join the effort to secure the ecosystem.
  • Financial incentive in the form of Yield farming
  • Protect their own project token by sacrificing a portion of their token, to make their holding more secure. By doing that, get $HAT.

Hacker:

  • Fungible funds - no need to move the funds into mixers
  • Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
  • Play black hat rules and get a white hat attitude.
  • Easier to disclose vulnerability then to exploit it
  • No KYC
  • Reputation and notoriety as a proficient hacker
  • Be good, do good for the community

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a matric of % from the vault, the higher the vault size, the bigger the prize. A ballpark starting number at ~$0.5m-$1m for a critical bug will draw significant attention from potential hackers or auditors.

Proposal action items:

  • Decide on Collaboration with hats.finance
  • Choose and set up a committee
  • Vote for DAO participation amount (How much DXD will be used from the treasury) (DAO treasury \ or project)

Onboarding action items:

  • Choose committee: Committee is preferably the DXDao Dev Multisig.

  • Committee responsibility & Individual incentive:

      1. Triage auditors/hackers reports/claims.
      2. Approve claims within a reasonable time frame (Max of 6 days)
      3. Set up repositories and contracts under review. (List of all contracts under the bounty program 
          and their severity)
      4. Be responsive via its telegram bot.
    
  • DAO process: Voting

  • Dev process: Committee setup \ Private Telegram bot

    • Hats team <> DXdao committee call to set up
    • Protocol: Choose protocol/contracts to cover, severity level.
  • Hats governance sets emission rate to the pool.

  • Project and users deposit funds

For the Dev setup, we have a detailed document for an easy process.

Would love to get the discussion going and get feedback on the proposal.

Thank you!

Hats communication:

:video_game: [Discord], please join and introduce yourself.

:bird: [Twitter], follow for updates and news.

:email: [Telegram], Follow for updates and discussion

2 Likes

After looking into Hats Finance a bit, I see that while it sounds like a cool idea, they don’t have a working product or even a website yet. Just 2 Medium posts, and I didn’t see any specifics about who’s on the Hats team.

I suggest waiting until Hats has a working solution that’s being used by other reputable projects, and at least some members of the team have shown their faces and LinkedIns, before DXdao considers taking the risk of trying this new project.

2 Likes

@Caden Did you watch the video linked to in the post?

It is a pretty comprehensive overview of the project (with their faces) that was presented on the DXbiz call three weeks ago.

Oren (co-founder of Hats and former VP engineering at DAOstack) also discussed Hats on the DXbiz call on May 10 and might be worth checking out.

3 Likes

Thanks @Powers, I had a look and I found the slide you mentioned with their full names and faces (33:32). This makes me less concerned.

In that case, it sounds like an interesting idea, and I’ll defer to you and the other people who know more about the specifics!

3 Likes

Thanks for continuing this initiative @Ofir. This “Action Plan” is the most important part, so the community has an idea of next steps that would be needed.

Looking forward to discussing more on Monday’s call.

1 Like