Bug Bounty Vault Proposal by Hats Finance

TLDR:

This is a proposal for Sushi Swap to collaborate with Hats.finance, create a hacker/auditors incentive pool to protect the Sushi Swap smart contracts. The goal of the vault is to incentivize vulnerability disclosure for Sushi Swap smart contracts. Liquidity can be added permissionless and LPs will be rewarded with $HATS token once the liquidity mining program is launched.

Summary:

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable and continuous like Sushi is.

Hats Finance:

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto hack incidents by offering the right incentives. Additionally, hats.finance allows anyone to add liquidity to a smart bug bounty . Hackers can responsibly disclose vulnerabilities without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on hats), and is free of charge. The protocol will only charge a fee if an incident has been successfully mitigated, which would be way more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

Security underlies the technology of smart contracts; there isn’t such a thing as too much security in our space. We think Ethereum dapps should include our solution and others, like Immunefi. Having said that, we strongly believe the future of cybersecurity is incentivized. We aim to lead this agenda, by creating a decentralized bug bounty marketplace that will incentivize all of its participants.

The key advantage of Hats solution on the traditional, centralized bug bounty services:

• Bug bounty vaults are loaded with the native token or yield bearing token (xSushi) of the project. Reducing the free floating supply while giving the token additional utility.
• Scalable bounty network — vault TVL increases with success / token appreciation of the project.
• Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
• In the future when providing liquidity(taking risk) every depositor could farm $HATS tokens.
• Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of hacking.

Motivation

Project coverage:

• 24\7 audits on your protocol with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of hacking
• A disclosed vulnerability means no TVL\ TOKEN loss
• Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.
• Public relation regarding mitigated vulnerabilities and security becomes a strength of the project.
• Attract more users that have high security requirements

Token value:

• Token staked in vault → Token with higher security guarantees.
• In the future one-sided yield farming based on $SUSHI or $xSUSHI
• Staking tokens in the Hat vaults reduces circulating token supply

Committee:

The main incentive of a committee to triage reports is the potential to rescue users funds and protocol reputation. In addition, Hats has two incentive mechanisms in place:

• Each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward (default 5%) to the committee for triaging the issue and solving it in a responsible manner.
• Each exploit claim is attached with ETH denominated fees. This fee is intended to reduce the exploit report spam and incentivize report triage by committees. The fees are transferred to the hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on-chain. Submission fees are currently set to 0 so only tx gas costs apply.

Project community \ Token holders:

• Join the effort to secure the ecosystem of Sushiswap.
• Protect their $SUSHI by depositing a portion of their $SUSHI holding to the bug bounty vault to make their holding more secure. By doing that, depositors potentially get $HAT tokens (on liquidity mining program launch)
• Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.

Hacker/Auditors:

• Fungible funds - no need to move the funds into mixers
• Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
• Play black hat rules and get a white hat rewards.
• Easier to disclose vulnerability than to exploit it
• No KYC
• Reputation and notoriety as a proficient hacker
• Be good, do good for the ecosystem

Proposal action items:

• Decide on collaboration with Hats.Finance
• Choose and set up a committee
• Vote for DAO participation amount (How much $Sushi or $xSushi will be used from the treasury)

Onboarding action items:

• Choose committee: The committee is preferably the public multisig contract of Sushiswap or another multisig with some of the same members.

• Committee responsibility:

• Triage auditors/hackers reports/claims(get back to the reporter in 12 hours).

• Approve claims within a reasonable time frame (Max of 6 days)

• Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)

• Be responsive via its telegram group or discord channel.

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize is. A ballpark starting number at $0.1m-$1m for a critical bug will draw significant attention from potential hackers or auditors.

$SUSHi deposit:

Vaults are opened with the native token of the project, with the one token - per vault (bug bounty) mechanism. It means that the rewards to security experts/hackers after a responsible disclosure will be in $SUSHI token. In the next few weeks, we will introduce the multiple-token options, where the SushiSwap community will also be able to deposit xSUSHI, wETH, or stable coins.

In the future when the $HAT token will be live, depositors in the bounty vaults will potentially claim the $HAT token. Anyone can join the security efforts of his beloved protocol for the first time in the crypto ecosystem. Decentralizing the traditional bug bounty will create a new way of responsibility/success sharing and a new level of trust between the community and the protocol.

Concluding Remarks

At Hats.finance, we envision a future in which the security marketplace is a standard for the crypto ecosystem. Considering how much SushiSwap cares about the security of the network and its operations, it is beyond any doubt that a bounty on Hats.finance will draw more attensionwhite hat hackers and auditors to the smart contracts of SushiSwap. Accordingly, each scrutiny will contribute to the safety and security of SushiSwap.

References

• Hats contracts
• Hats Audit
• Hats tokenomics
• DeFisafety report

We would love to see the discussion going in detail and get feedback on the proposal.

Thank you!

Hey Sushi members,
My name is Ofir, from the Hats.finance growth team.
It’s great to be here!

I would love to answer questions about Sushi <> Hats collaboration, please tag me.

Hey @maka! Meet Ofir from Hats Finance

Decentralized and permissionless security solutions are key for the growth of Decentralized Finance. However, at this moment most security solutions have centralized aspects to it. I am all about adding more security layers to protocols, especially with the recent growth of hacks.

Thanks @Fav_Truffe for the detailed proposal! Indeed sounds like a win-win. Is there any downside Sushi community need to consider when evaluating this ?

I totally see how strong and diversified bug bounty programs will become a must ingredient in any protocol security practice.

It‘s great！Hats Finance and sushiswap will be good start！go for it！

I think it is necessary to add this protection measure, and hats finance cooperation, users and project parties can add tokens to protect the project, on the one hand to reduce the circulation of tokens sushi so that the price increases, on the one hand to motivate hackers to become white hat hackers to reduce losses, and can get hats is a win-win situation.

There is no downside that i can possibly think of. In case that there is a successful vulnerability submission, a portion of the deposits in the vault will be given to the white hat hacker. Yet, this will potentially save the hack/token value’s depreciation. Accordingly, even if there is a successful vulnerability submission and a portion of the vault is given to the white hat hacker, this is still inherently positive due to the fact that protocol and token’s value are protected.

Hey @Fav_Truffe welcome to the forum.

It is clear you are bringing an impassioned community with you as well - all the comments seem to mirror nothing but support.

A few questions for you:

Can you speak more about Hats Finance? Who have you worked with in the past? How are you funded? How do you make money?

Finally - what is the role of the NFT? Is it more commemorative or does it have financial value?

Excited to learn more about your project.

Hey @fig! Thanks for taking the time to provide feedback. Indeed, we are grateful to have such an impassionate community.

Hats.finance was kicked off in late 2021 by crypto veterans with a collective net experience of decades; The dev team includes solidity security experts and react professionals.

We have over $1m in TVL from projects like UMA, Liquity, Kleros, DXdao, and more (before we started any liquidity mining).

Currently, there is no $HATs token incentive for the community to receive in return for their deposit. However, we still notice the community contributed to the TVL apart from what projects DAO deposited - we consider it as the proof of Hats concepts where the community joins the security efforts.

As a decentralized projects, Hats.Finance has led and recently concluded its own investment rounds. As for how Hats.Finance make money, 10% of the reward for each successful vulnerability submission (responsible disclosure approved by the project committee) is allocated for Hats.Finance.

The NFTs are unique in the sense that it includes the metadata regarding what/when the vulnerability submitted for which project and how much reward was collected for it.
There is no request for KYC in Hats dApp - open for everyone. We find it very important for hackers who want to stay anonymous and still act for the good of the ecosystem. Then, he can show his NFT as a badge of achievement without disclosing his identity.

I will be glad to answer any other questions.

In favor of this proposal

It would be a good move for SushiSwap to diversify its protection layers as much as possibble. I support this.

Hey Fav. If you are free, please come on the Forum today and we can discuss Hats further

Hey @tangle! Sure, thanks! What time will you be available?

15 min Forum Starts!

I could find it, thanks. Some of the teammates will be there

Hey @Tangle, @fig and @maka! I hope that you are all doing very well. I am looking forward to receiving your feedback regarding the Bug Bounty Vault Proposal by Hats Finance and It would be really helpful if you could refer your devs to provide a reflection here. Appreciated in advance