Bug Bounty Proposal by Hats Finance #2022-10-B001

Fav_Truffe · October 17, 2022, 12:53pm

Title: Bug Bounty Proposal by Hats Finance #2022-10-B001
Author(s): Fav_Truffe#7571
Date Created: 12.10.2022
Date Published: 17.10.2022

# Summary

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous like Map Protocol is.

This is a proposal for Map Labs to collaborate with Hats.finance to create an on-chain, free, and permissionless incentives pool for hackers/auditors to protect the Map Protocol smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Map Protocol. Liquidity can be added (with $MAP and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

# Background

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

# Specification

The key advantage of Hats solution compared to traditional, centralized bug bounty services:

Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
Scalable bounty network — vault TVL increases with success / token appreciation of the project.
Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
In the future when providing liquidity(taking risk) every depositor could earn $HATS tokens.
Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

# Financial Implications

We propose 5 million $MAP from Ecosystem DAO to be granted to be used as a initial deposit for the bug bounty vault to be open to the community deposit. This fund will be used as the bounty for white hat hackers, who responsibly disclose vulnerabilities regarding the Map Protocol.

# Success Metrics or KPIs

21 Bounty Vaults
$1.7m TVL (12th of October)
25% of TVL from the community (12th of October)
Strong growth in the community of security researchers

# Next Steps

In case that the proposal gets accepted, MAP DAO is expected to:

1- Choose and set up a committee

2- Vote on the amount the DAO will contribute to the bug bounty program (How much $MAP or yield bearing assets to be used from the treasury for the initial deposit)

Onboarding action items:

Choosing a committee: The committee is preferably the public multisig contract of Map Protocol or a multisig specifically set up to manage the bounty program.

The Committees responsibility:

Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
Approve claims within a reasonable time frame (Max. of 6 days)
Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)

Concluding Remarks

At Hats.finance, we envision a future in which a security marketplace acts as permissionless infrastructure for the crypto ecosystem. Considering how much Map Protocol cares about the security of the network and its operations, it is beyond any doubt that a bounty on Hats.finance will draw more attention from the white hat hackers and auditors to the smart contracts of Map Protocol. Accordingly, each scrutiny will contribute to the safety and security of Map Protocol.

We would love to see the discussion going in detail and get feedback on the proposal.

Thank you!

Fav_Truffe · October 17, 2022, 12:54pm

Hey Map frens! I am sending the project links below since i was maxed with 2 links

Project links:

Hats Audit

rabbit_11bit · October 17, 2022, 5:27pm

Col project! But from what i know about map is that their light-client technology basically ensures that they can reach probably the highest security level in crosschain?

Fav_Truffe · October 17, 2022, 5:52pm

Hey @rabbit_11bit! Thanks for the reflection.

As long as a project is not hack-proof (which is almost impossible to achive), we recommend all projects to have a bug bounty.

Most of the projects that were hacked between 2020-2022 were audited and well-trusted projects, yet they were exploited.

Finally, having a bug bounty vault on Hats protocol is cost-negative. Since Hats Finance provides a non-custodial and permissionless infrastructure, MAP DAO can withdraw the deposit whenever wished. In the meantime, since depositors will be incentivized with $HAT tokens after our TGE, it is very probable for MAP DAO to create an additional income to DAO by farming $HAT tokens.

blackkisar · October 18, 2022, 2:10am

much support on this one.

0xwinterbell · October 18, 2022, 8:12am

Have you guys set up similar programs for other layer 1s? What is your track record?

Fav_Truffe · October 18, 2022, 8:44am

Hey @0xwinterbell! We are going to deploy Hats Protocol to additional L1s and L2s and will announce which ones very soon. Our ambition is that all bounties, independent on which chain they live, will be visible in the same UI to give each bounty the maximum reach to security researcher and LPs.

In terms of track record: We have a great community of security researchers who are auditing the code of the projects and we just completed another Capture the Flag hacking challenge. Stay tuned for the announcement of the final winners!

We had a couple of smaller payouts but we have not had any critical severity payout yet. It would be great for the protocol but obviously we don’t wish that it happens to any of our partners

0xwinterbell · October 18, 2022, 8:51am

What about setting up a bounty program for all MAP ecosystem projects?

Fav_Truffe · October 18, 2022, 8:56am

No problem, its the committee’s responsibility to determine the scope of the bounty program.

MAP vault’s committee members might include as many smart contrats (of ecosystem projects) as they wish to include in the scope of the bounty program until these ecosystem projects want to create a bounty for themselves.

cryptoagu · October 18, 2022, 11:09pm

on-chain, free, and permissionless incentives pool for hackers/auditors , awesome