Bug Bounty Vault Proposal by Hats Finance

Proposals
1

#TLDR
This is a proposal for Lido DAO to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Lido smart contracts.

#Abstract

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like Lido is.

This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the Lido smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Lido. Liquidity can be added (with $LDO, $stETH and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

#Motivation

Hats.finance is an on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

On-chain submission:

With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.

The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.

The tx fee acts as a spam filter and can be set to a higher value (in the future).

The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.

#Specification

In case that the proposal gets accepted, Lido is expected to:

1- Choose and set up a committee

2- Vote for DAO participation amount

Onboarding action items:

  • Choosing a committee: The committee is preferably the public multisig contract of Lido or a multisig specifically set up to manage the bounty program.
  • The Committees responsibility:
    • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
    • Approve claims within a reasonable time frame (Max. of 6 days)
    • Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)

#Rationale
The key advantage of Hats solution compared to traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity (taking risk) every depositor could earn $HAT tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

Additional advantages of deployment of the existing Lido bug bounty program on Hats Protocol:

  • Lido can reach out to many more security researchers (aka white hat hackers) with a bounty on Hats protocol and each scrutiny will make Lido safer.
  • Lido can fund the bug bounty vault on Hats with its own native token ($LDO, $stETH or any other yield bearing token)
  • The bounty reward for the submitter is not paid at once to reduce the price pressure on the project token.

Since Lido DAO will be farming $HAT tokens with its bounty (after TGE), it’s a cost negative opportunity for Lido DAO.

2

gm gm, @Fav_Truffe of Hats.Finance!

Lido DAO protocols have bounties on Immunefi: Lido on Ethereum, Lido on Polygon, Lido on Solana.

I would argue the main utility of the bounty program stems from it:

  1. being well-known “go-to” across whitehat community; 2) having track of record as a secure vehicle to manage highly sensitive data; 3) being known & trusted arbiter of contentious situations, have they arise.

I can’t say that having the rewards vault on-chain is the main pain point for the current solutions across the industry.

As maintaining two bounties is both 1) extra risks; 2) extra workload for Contributors, I don’t see neither of migrating to Hats.Finance platform nor having two bounties in parallel as a solution improving the actual security of Lido DAO protocols on different chains.

2 Likes
3

GM GM sir! Thanks a lot for taking the time to reflect :green_heart:

Hats Finance is very well-known in security space as well even if not that much known in DeFi.

Since Hats Finance has an encrypted communication mechanism between the security researcher and project teams, there is no need to rely on a third party’s track record of being a secure vehicle. Nobody, including the Hats team, can see the vulnerability reports.

Hats Finance is using Kleros court as the specialized/decentralized third party arbitration court and this is quite well-received by both the projects and security researchers (from the game theory perspective).

In my humble opinion, Lido Finance, as the market leader in LSDFi, should be at the forefront to support decentralization ethos. I am of the opinion that it would contribute a lot to the wider ecosystem if Web3 projects, especially top-notch ones like Lido Finance, would prioritize Web3 native products over centralized/Web2 alternatives. This does not mean that Lido Finance should use Hats Finance only because we are decentralized. As for more differences; bug bounty vaults on Hats Finance are open to everybody. Accordingly, investors, DAO members, community members, etc. can deposit to the vault and top up the bounty amount (make it more incentivizing for security researchers).

Secondly, Hats Finance is on-chain and therefore the submissions require a transaction fee. This fee itself is acting as a spam filter but if deemed not enough, Lido Finance can increase the fee to submit a report to create a paywall (to increase the efficiency of spam filter). This is very important because its widely known that some web2 bug bounty companies are paying some security researchers to submit reports (to sell triage service to the projects).

Thirdly, Lido DAO can potentially farm $HAT tokens (after TGE) with its bug bounty vault.

Fourthly, there is not any monthly/quarterly/yearly fee to host the bug bounty program on Hats.

Fifthly, Hats Finance, as a decentralized protocol, is anon-friendly. Considering the fact that white hatting might be troublesome in some countries and some white hats are very sensitive about their privacy, Hats has the capability to target more security researchers.

What do you mean by extra risks?

As highlighted above, Hats Finance has a built-in spam protection filter. I do not believe that out-of-scope vulnerability reports will cause extra workload and even if this happens, you can always increase the amount of paywall. As for the vault set-up, it takes less than 30 minutes to set up an on-chain bug bounty vault on Hats protocol. Since we are not a Web2 firm and we are on-chain and permissionless, you will not be required to sign hundreds of pages of papers.

Appreciate all the comments @kadmil! Looking forward to hearing more from you. :slight_smile: