This is a proposal for B.Protocol to collaborate with Hats.finance to create hacker/auditors incentive pool to protect the B.Protocol contracts.
B.Protocol will be one of the first Hat incentivized vaults providing active protection to B.Protocol. The goal of the vault is to incentivize vulnerability disclosure for B.protocol smart contracts while farming rewards in the form of hats tokens.
We are ready to onboard projects after all audits came back without significant findings while all findings have been fixed and the Dapp tested.
Hats.finance is a proactive incentive protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.
Hats create scalable security vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, prolific NFT artists have pledged assistance and will create numerous unique NFTs that will be minted specially for Hackers or Auditors that will responsively disclose vulnerabilities.
We offer to every participant in the Ethereum ecosystem to have some skin in the game and create a more secure future for the users of #Ethereum.
- Smart contracts are continuously offering a bounty in the form of their value or the value that is locked by them. Extracting this value in a malicious manner causes more harm to the ecosystem than the size of the extracted value.
- Incentivize continuous audit for smart contracts
- Hack or exploits have an effect on the adoption of all smart contract projects and the ecosystem itself. Ecosystem adoption could be boosted if we could reduce this risk.
- The future of the economy is being withheld by the forces who try to hack it. Hats.finance incentivizes both parties to collaborate towards the success of the ecosystem.
- 24\7 audit on your protocol with a proactive approach that incentivizes the hacker to disclose the vulnerability instead of hacking
- a vulnerability disclosed means no TVL\ TOKEN loss
- PR of vulnerability becomes a strength to the project.
- Attract more users to the “strong and secure protocol”
- Token staked in vault → Token with higher security guaranties
- Another yield farming option.
- One-sided yield farming based on your token
The main incentive of a committee to triage reports is the potential to rescue user funds and protocol reputation. In addition to that Hats have two incentive mechanisms in place:
each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward(default 5%) to the committee for triaging the issue and solving it in a responsible manner.
Each exploit claim is attached with ETH denominated fees. This fee is intended to reduce the exploit report spam and incentivize report triage by committees. The fees are transferred to the hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on chain.
Project community \ Token holders:
- Join the effort to secure the ecosystem.
- Financial incentive in the form of Yield farming (on liquidity mining program launch)
- Protect their own project token by sacrificing a portion of their token holdings, to make their holding more secure. By doing that, get $HAT (on liquidity mining program launch)
- Fungible funds - no need to move the funds into mixers
- Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
- Play black hat rules and get a white hat attitude.
- Easier to disclose vulnerability then to exploit it
- No KYC
- Reputation and notoriety as a proficient hacker
- Be good, do good for the community
When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize. A ballpark starting number at ~$0.5m-$1m for a critical bug will draw significant attention from potential hackers or auditors.
(demo video is attached)
Hats audit and security measures:
Hats contracts has been audited by Zokyo and 2 more audits have been done internally .all issues have been fixed to the satisfaction of the auditors.
Proposal action items:
- Decide on Collaboration with hats.finance
- Choose and set up a committee
- Vote for DAO participation amount (How much $BPRO will be used from the treasury)
Onboarding action items:
Choose committee: Committee is preferably the existing B.Protocol Multisig
- Triage auditors/hackers reports/claims.
- Approve claims within a reasonable time frame (Max of 6 days)
- Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)
- Be responsive via its telegram bot.
- DAO process: proposal \ Voting \ announcement
- Dev process: Committee setup \ Private Telegram bot
- Hats team <> B.protocol committee call to set up
- Protocol: Choose protocol/contracts to cover, severity level.
- Hats governance sets emission rate to the B.protocol vault.
- Project and users deposit funds
For the Dev setup: please see in comments
Would love to get the discussion going and get feedback on the proposal.