Bug bounties offer the means to create a fair P2P market for the exchange of vulnerability information. They offer a form of perpetual protection, directly incentivizing security researchers to investigate project codes for vulnerabilities while ensuring projects only need to pay for meaningful security information that could compromise their protocol.
Hats has created the tooling and mechanisms to offer Web3’s first truly decentralized smart bug bounty marketplace. Our bug bounty vaults operate in accordance with the core aspects of the DeFi ecosystem. In short, they are permissionless, protect anonymity, are scalable, and allow anyone to provide liquidity to bug bounties.
Framing the problem
In 2020, Web3 experienced what became known as the DeFi summer. Extraordinary rewards were experienced by protocols and users alike. However, simultaneously, this decentralized new world brought with it severe security risks and exploits began to abound.
We identified a crucial security issue in Web3 and devised a solution to address it. Here's an overview of our thinking process and the measures we implemented to tackle the problem:
- Web3 is built on smart contracts.
- Smart contracts are continuously at threat, offering a bounty in the form of their value or form of their value or the value that is locked by them.
- Black hat hackers maliciously work to extract the value that is locked by them.
- Extracting this value in a malicious manner causes more harm to protocols and the ecosystem as a whole than the size of the extracted value.
- Hacks or exploits have an effect on the adoption of all smart contract projects and the ecosystem itself. Ecosystem adoption could be boosted if we could reduce this risk.
- Protection can be created through incentivizing continuous audits of smart contracts
- Bug bounties enable protocols to incentivize hackers to become blockchain protectors rather than exploiters.
- Hats.finance incentivizes protocols, their users and hackers/security professionals to collaborate towards the success of the ecosystem.
Partners of Hats engage with the vault ecosystem in the following manner:
- 1.Representatives from the protocol and Hats collaborate to clarify the specific security needs of the protocol. They also determine if a bug bounty program can assist in securing the project.
- 2.If the protocol decides to establish a vault, it defines the composition of its vault committee. This committee ideally consists of security researchers, developers, and other essential project personnel.
- 3.In conjunction with Hats' governance, the protocol creates a bounty vault using its project tokens. The protocol can allocate up to 1% of its circulating token supply and earn Hats tokens through farming (subject to Hats' TGE - Token Generation Event).
- 4.Once the vault becomes operational, if a vulnerability is identified, the hacker must disclose the exploit to the protocol's committee via Hats' encrypted communication channel. The disclosure must include an on-chain hash proof.
- 5.The committee evaluates the vulnerability submission and either approves or rejects it. If approved, the committee releases funds to the hacker as per the token allocation specified in the vault.