B.Protocol <> Hats.finance: Proactive security for smart contract

This is a proposal for B.Protocol to collaborate with Hats.finance to create hacker/auditors incentive pool to protect the B.Protocol contracts.

B.Protocol will be one of the first Hat incentivized vaults providing active protection to B.Protocol. The goal of the vault is to incentivize vulnerability disclosure for B.protocol smart contracts while farming rewards in the form of hats tokens.

We are ready to onboard projects after all audits came back without significant findings while all findings have been fixed and the Dapp tested.

Overview

Hats.finance is a proactive incentive protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.

Hats create scalable security vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, prolific NFT artists have pledged assistance and will create numerous unique NFTs that will be minted specially for Hackers or Auditors that will responsively disclose vulnerabilities.

We offer to every participant in the Ethereum ecosystem to have some skin in the game and create a more secure future for the users of #Ethereum.

Hats.finance mechanism:

  • Smart contracts are continuously offering a bounty in the form of their value or the value that is locked by them. Extracting this value in a malicious manner causes more harm to the ecosystem than the size of the extracted value.
  • Incentivize continuous audit for smart contracts
  • Hack or exploits have an effect on the adoption of all smart contract projects and the ecosystem itself. Ecosystem adoption could be boosted if we could reduce this risk.
  • The future of the economy is being withheld by the forces who try to hack it. Hats.finance incentivizes both parties to collaborate towards the success of the ecosystem.

Benefit:

Project covered:

  • 24\7 audit on your protocol with a proactive approach that incentivizes the hacker to disclose the vulnerability instead of hacking
  • a vulnerability disclosed means no TVL\ TOKEN loss
  • PR of vulnerability becomes a strength to the project.
  • Attract more users to the “strong and secure protocol”

Token value:

  • Token staked in vault → Token with higher security guaranties
  • Another yield farming option.
  • One-sided yield farming based on your token

Committee:

The main incentive of a committee to triage reports is the potential to rescue user funds and protocol reputation. In addition to that Hats have two incentive mechanisms in place:

  • each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward(default 5%) to the committee for triaging the issue and solving it in a responsible manner.

  • Each exploit claim is attached with ETH denominated fees. This fee is intended to reduce the exploit report spam and incentivize report triage by committees. The fees are transferred to the hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on chain.

Project community \ Token holders:

  • Join the effort to secure the ecosystem.
  • Financial incentive in the form of Yield farming (on liquidity mining program launch)
  • Protect their own project token by sacrificing a portion of their token holdings, to make their holding more secure. By doing that, get $HAT (on liquidity mining program launch)

Hacker/Auditors:

  • Fungible funds - no need to move the funds into mixers
  • Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
  • Play black hat rules and get a white hat attitude.
  • Easier to disclose vulnerability then to exploit it
  • No KYC
  • Reputation and notoriety as a proficient hacker
  • Be good, do good for the community

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize. A ballpark starting number at ~$0.5m-$1m for a critical bug will draw significant attention from potential hackers or auditors.


(demo video is attached)

Hats audit and security measures:
Hats contracts has been audited by Zokyo and 2 more audits have been done internally .all issues have been fixed to the satisfaction of the auditors.

Proposal action items:

  • Decide on Collaboration with hats.finance
  • Choose and set up a committee
  • Vote for DAO participation amount (How much $BPRO will be used from the treasury)

Onboarding action items:

  • Choose committee: Committee is preferably the existing B.Protocol Multisig

  • Committee responsibility:

  1. Triage auditors/hackers reports/claims.
  2. Approve claims within a reasonable time frame (Max of 6 days)
  3. Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)
  4. Be responsive via its telegram bot.
  • DAO process: proposal \ Voting \ announcement
  • Dev process: Committee setup \ Private Telegram bot
    • Hats team <> B.protocol committee call to set up
    • Protocol: Choose protocol/contracts to cover, severity level.
  • Hats governance sets emission rate to the B.protocol vault.
  • Project and users deposit funds

For the Dev setup: please see in comments

Would love to get the discussion going and get feedback on the proposal.

Thank you!

2 Likes

Hey all,

Thank you for the opportunity; My name is Ofir, I’m the BizDev of Hats.finance.
We would love to receive your comments about the proposal.

For the Dev setup:

  1. Use this form for committee setup.

  2. Use this Doc for more details.

Thanks @sombrero for this intro.
As it is quite long and very detailed, I assume it will help the B.Protocol community to get answers to some questions I came us with (others are welcome to add their own) -

Can you please elaborate about these Hats farming rewards for the B.Protocol DAO?


2.

AFAIK Hats gov is not live yet. If the DAO is to participate in the Hats liquidity mining program as suggested, will these tokens be locked in any way? Is there any ETA on the LM program launch date?


3. who has access to the BPROs in the Vault? and for how long should the DAO consider to lock it for?


4.

These “ball park” numbers are not relevant for B.Protocol reserve size atm. Do you have any other references for the size of the bug bounty? in relation to reserve size/ TVL or any other metric?


5

Can you please share more info/links to reports for the dao to review?

  1. Can you summarize the next steps the DAO should make in order to progress with this collaboration?

Thanks

1 Like

Hey, @EitanK thank you for the detailed questions

I will try to answer your questions.

1. Can you please elaborate about these Hats farming rewards for the B.Protocol DAO?

B Protocol will be one of the first projects to use the Hats security vaults. The hats Protocol Protection Mining (PPM), the engine behind the HAT token farming, has a halving mechanism that decreases the amount of tokens emitted over time. This incentives early adoption and participation, uniquely available for B.protocol token holders.

2.AFAIK Hats gov is not live yet. If the DAO is to participate in the Hats liquidity mining program as suggested, will these tokens be locked in any way? Is there any ETA on the LM program launch date?

When the PPM starts there will not be any token lock period. We plan to implement this in the future, we will update the B.protocol community beforehand.

3.Who has access to the BPROs in the Vault? and for how long should the DAO consider to lock it for?

The B.protocol committee has the ability to deploy funds to white hat hackers that disclosed vulnerabilities. Hats governance is an additional layer of security against the committee going rogue. The goal of Hats is to be a continuous and ongoing bounty, so as long as B.protocol has mainnet contracts the $BPRO tokens should be there to incentivize responsible disclosure instead of hacking the protocol.

4.These “ball park” numbers are not relevant for B.Protocol reserve size atm. Do you have any other references for the size of the bug bounty? in relation to reserve size/ TVL or any other metric?

Our research showed that bug bounties with more than $500k for a critical vulnerability drew attention from auditors and hackers as interesting prize allocations. We are onboarding new projects with different TVL, and each one of them chooses differently.

Our unique mechanism allows all $BPRO holders to deposit whenever they feel it’s the right time to add more security eyes on the protocols. For example: launching a new product, a new collaboration that affects the smart contract etc.…

As a community, you can choose together how important it is for you to incentivize others to make B.protocol a much safer environment. Another path that is developing is the gradual deployment of funds to the vault in batches for $50k-250k, over a couple of months, reducing the smart contract risk from depositing funds to the Hats vaults

5.Can you please share more info/links to reports for the dao to review?

- Please see [Zokyo audit](Hats Finance-final audit report.pdf - Google Drive 2).

- Other 2 audits have been done internally and all issues have been fixed.

- In addition Hats.finance will deposit 1% of Hats token in circulation in hats vault -as a bounty program.

6.Can you summarize the next steps the DAO should make in order to progress with this collaboration?

After the decision of collaboration with Hats.finance:

1. Choose and set up a committee and specify protected smart contracts and their severities. (Fill up form)

2. Vote for DAO participation amount (How much $BPRO will be used from the treasury)

We appreciate your interest and attention to detail.

we would love to be hosted on your Discord for AMA. You can drop questions in advance here or in discord as well.

Thanks for the opportunity!

@sombrero | Ofir - Hats.finance

1 Like

Are the contracts public? GitHub from Audit seems to be broken/private.

2 Likes

Hey @TragedyStruck thank you for the time you take to check.

Hats.finance contract are not public yet. They will be public upon launch . Yaron have access and can see them.

Regarding the audit, sharing the link again:

I’m just going to think out loud here for a moment. The way I see it, a pro here is collaboration across protocols for mutual exposure. Hats also aims to provide better mitigation against black hat hackers taking advantage of potential bugs.

I did not know if B.Protocol had any such program, but I see that there is an indefinate program for up to $20 000. Comparing with other protocols they seem to have similar “off-chain” systems, like Compound from $500 to $150 000, Aave with up to $250 000 and MakerDAO up to $100 000.

I think that the contracts not being public is a bit of a downer. While @yaron is very well fit to look at them, it is extreme un-DAO-esque (in lack of a better word) that only he is able to do so.

I think the farming aspect is a bit of an unknown, given that the protocol is not launched yet.

I don’t know if I have a complete feel for this yet. I like that it feels more in line with the ecosystem, but I’m not sure I think it is the correct move at this time with the protocol not being launched and a few “unknowns” for me. Just my 2 wei. I’d love to see some other community input!

3 Likes

Hey @TragedyStruck thanks for taking the time to share your thoughts and we appreciate the feedback.

The once the contracts are on mainnet you will be able to review them, this will happen before the voting on the collaboration starts.

As for the emission rates, we are working on the full plan for that as we speak in what we call the Protocol Protection Mining or PPM for short. We should have the details of that shared farily soon, but we are trying to create both the correct incentives for people to participate and to stay aligned long term with the project. This is not an easy feat, and we’ve been discussing with several live protocols on their thoughts for this.

At any rate, the collaboration is essentially a win-win situation for b Protocol and its community. Firstly with the farming and yield generated from the Hats PPM, and secondly that a bug bounty program doesn’t cost anything unless there is a critical disclosure that would have been a lot more expensive if it wasn’t for the program in the first place.

2 Likes

To clarify, it will not be put to a DAO vote before the DAO will have a chance to look at the sources.
Also for the rest of the unknowns, your concerns are legit and part of the discussion is to get answers for these.

2 Likes

Hi @yaron, thanks for the clarification.
As you said, the voting of the collaboration will take place, after the hats.finance contracts will be available for public view. We will update here as soon it happens.

Hey all,
Short update - We are offering a $50,000 USDC bug bounty program on Rinkeby for responsible disclosure of vulnerabilities on Hats Dapp.
Learn more: The mission- hack HATs. Decentralized cybersecurity bounty… | by Hats | Jul, 2021 | Medium
:eyes: @TragedyStruck

2 Likes