Fei Protocol <> Hats.finance: Proactive security for smart contract
This is a proposal for Fei Protocol to collaborate with Hats.finance to create a hacker/auditors incentive pool to protect the Fei Protocol contracts.
The goal of the vault is to incentivize vulnerability disclosure for Fei Protocol smart contracts while farming rewards in the form of hats tokens.
Overview
Hats Finance is a proactive incentive protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.
Hats creates scalable security vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, NFT artists have pledged assistance and will create numerous unique NFTs that will be minted for Hackers or Auditors who responsively disclose vulnerabilities.
Hats. Finance offers every participant in the Ethereum ecosystem the opportunity to have some skin in the game and create a more secure future for the users of #Ethereum.
Hats.finance mechanism:
- Smart contracts are continuously offering a bounty in the form of their value or the value that is locked by them. Extracting this value in a malicious manner causes more harm to the ecosystem than the size of the extracted value.
- Incentivize continuous audit for smart contracts
- Hacks and exploits have an effect on the adoption of all smart contracts and the ecosystem itself. Ecosystem adoption is boosted when we can reduce this risk.
- The future of the economy is being withheld by the forces who try to hack it. Hats.Finance incentivizes both parties to collaborate towards the success of the ecosystem.
Benefit:
Project coverage :
- 24\7 audits on your protocol with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of hacking
- A disclosed vulnerability means no TVL\ TOKEN loss
- PR of vulnerability becomes a strength to the project.
- Attract more users to the “strong and secure protocol”
Token value:
- Token staked in vault → Token with higher security guarantees.
- Another yield farming option.
- One-sided yield farming based on your token
Committee:
The main incentive of a committee to triage reports is the potential to rescue user funds and protocol reputation. In addition, Hats has two incentive mechanisms in place:
- Each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward (default 5%) to the committee for triaging the issue and solving it in a responsible manner.
- Each exploit claim is attached with ETH denominated fees. This fee is intended to reduce the exploit report spam and incentivize report triage by committees. The fees are transferred to the hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on-chain.
Project community \ Token holders:
- Join the effort to secure the ecosystem.
- Financial incentive in the form of Yield farming (on liquidity mining program launch)
- Protect their own project token by sacrificing a portion of their token holdings, to make their holding more secure. By doing that, get $HAT (on liquidity mining program launch)
Hacker/Auditors:
- Fungible funds - no need to move the funds into mixers
- Incentivized by the big prize, less than what they could hack, but still a meaningful amount.
- Play black hat rules and get a white hat attitude .
- Easier to disclose vulnerability than to exploit it
- No KYC
- Reputation and notoriety as a proficient hacker
- Be good, do good for the community
Vault size:
When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize. A ballpark starting number at $0.1m-$1m for a critical bug will draw significant attention from potential hackers or auditors.
Hats audit and security measures:
Hats contracts has been audited by Zokyo and 2 more audits have been done internally. All issues have been fixed to the satisfaction of the auditors.
Proposal action items:
- Decide on Collaboration with Hats.Finance
- Choose and set up a committee
- Vote for DAO participation amount (How much $Token will be used from the treasury)
Onboarding action items:
- Choose committee: Committee is preferably the existing Fei Protocol Multisig.
- Committee responsibility:
- Triage auditors/hackers reports/claims.
- Approve claims within a reasonable time frame (Max of 6 days)
- Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)
- Be responsive via its telegram bot.
- DAO process: proposal \ Voting \ announcement
- Dev team process: Committee setup
- Share the PGP public keys - using Hats committee tools or else.
- Share Twitter or Github accounts of the committee members
- Share a link to the deployed contracts that will be covered under the program.
- Share a Multisig address of the committee members - Rinkeby and Mainnet.
- Committee due diligence: The token contract deployer to sign a message with etherscan
- Hats governance sets emission rate to the Fei Protocol vault.
- Project and users deposit funds
Useful links:
Would love to get the discussion going and get feedback on the proposal.
Thank you!