Bug Bounty Vault Proposal by Hats Finance

TLDR:

This is a proposal for Ooki Trade to collaborate with Hats.finance, create a hacker/auditors incentive pool to protect the Ooki Trade smart contracts. The goal of the vault is to incentivize vulnerability disclosure for Ooki Trade smart contracts. Liquidity can be added permissionless and LPs will be rewarded with $HAT token once the liquidity mining program is launched.

Summary:

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable and continuous like Ooki Trade is.

Hats Finance:

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, hats.finance allows anyone to add liquidity to a smart bug bounty . Hackers can responsibly disclose vulnerabilities without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on hats), and are free of charge. The protocol will only charge a fee if an incident has been successfully mitigated, which would be way more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

Security underlies the technology of smart contracts; there isn’t such a thing as too much security in our space. We think Ethereum dapps should include our solution and others, like Immunefi. Having said that, we strongly believe the future of cybersecurity is incentivized. We aim to lead this agenda, by creating a decentralized bug bounty marketplace that will incentivize all of its participants.

The key advantage of Hats solution on the traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native token or yield bearing token of the project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity(taking risk) every depositor could farm $HAT tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of hacking.

Motivation

Project coverage:

  • 24\7 audits on your protocol with a proactive approach that incentivizes hackers to disclose vulnerabilities instead of hacking
  • A disclosed vulnerability means no TVL\ TOKEN loss
  • Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.
  • Public relation regarding mitigated vulnerabilities and security becomes a strength of the project.
  • Attract more users that have high security requirements

Token value:

  • Token staked in vault → Token with higher security guarantees.
  • In the future one-sided yield farming based on $OOKI
  • Staking tokens in the Hat vaults reduces circulating token supply

Committee:

The main incentive of a committee to triage reports is the potential to rescue users’ funds and the protocol’s reputation. In addition, Hats has two incentive mechanisms in place in addition:

  • Each call to approve function (confirmation of an exploit that was resolved by the project committee) triggers a split function that sends part of the reward (default 5%) to the committee for triaging the issue and solving it in a responsible manner.
  • Each exploit claim is attached with ETH denominated fees. This fee is intended to prevent bad actors from using the reporting function to create spam, reduce the exploit report spam and to incentivize report triage by committees. The fees are transferred to the Hats governance wallet in order not to expose the project that was reported and will be transferred to the respected committees from time to time upon receipt of disclosure descriptions that correspond to the hash of the vulnerability on-chain. Submission fees are currently set to 0 so only tx gas costs apply.

Project community \ Token holders:

  • Join the effort to secure the ecosystem of OokiTrade.
  • Protect their $OOKI by depositing a portion of their $OOKI holding to the bug bounty vault to make their holding more secure. By doing that, depositors potentially get $HAT tokens (on liquidity mining program launch)
  • Permissionless vault — token holders and the protocol community can deposit or withdraw in the same permissionless nature.

Hacker/Auditors:

  • Fungible funds - no need to move the funds into mixers
  • Incentivized by the big reward prize, less than what they could hack, but still a meaningful amount.
  • Play by black hat rules and get a white hat rewards.
  • Easier to disclose vulnerability than to exploit it
  • No KYC
  • Reputation and notoriety as a proficient hacker
  • Be good, do good for the ecosystem

Proposal action items:

  • Decide on collaboration with Hats.Finance
  • Choose and set up a committee
  • Vote for DAO participation amount (How much $OOKI will be used from the treasury)

Onboarding action items:

  • Choose committee: The committee is preferably the public multisig contract of OokiTrade or another multisig with some of the same members.

  • Committee responsibility:

  • Triage auditors/hackers reports/claims (get back to the reporter in 12 hours).

  • Approve claims within a reasonable time frame (Max of 6 days)

  • Set up repositories and contracts under review. (List of all contracts under the bounty program and their severity)

  • Be responsive via its telegram group or discord channel.

Vault size:

When you incentivize hackers with a big bounty, you drive attention to secure your protocol. Because the bounty is a relative portion of the vault, the more value the vault holds, the larger the prize is. A ballpark starting number at $0.1m-$1m for a critical bug will draw significant attention from potential hackers or auditors.

$OOKI deposit:

Vaults are opened with the native token of the project, with the one token - per vault (bug bounty) mechanism. Therefore the community has to select one token to bootstrap their bounty, be it $OOKI. It means that the rewards to security experts/hackers after a responsible disclosure will be in $OOKI token. In the next few weeks, we will introduce the multiple-token options, where the OokiTrade community will also be able to deposit the other asset OOKI, wETH, or stable coins.

In the future when the $HAT token will be live, depositors in the bounty vaults will be potentially able to claim the $HAT token. Anyone can join the security efforts of their beloved protocol for the first time in the crypto ecosystem. Decentralizing the traditional bug bounty will create a new way of responsibility/success sharing and a new level of trust between the community and the protocol.

Concluding Remarks

At Hats.finance, we envision a future in which the security marketplace is a standard for the crypto ecosystem. Considering how much OokiTrade cares about the security of the network and its operations, it is beyond any doubt that a bounty on Hats.finance will draw more attensionwhite hat hackers and auditors to the smart contracts of OokiTrade. Accordingly, each scrutiny will contribute to the safety and security of OokiTrade.

References

We would love to see the discussion going in detail and get feedback on the proposal.

Thank you!

1 Like

Hey Ooki DAO members,
My name is Ofir, from the Hats.finance growth team.
It’s great to be here!
@Fav_truffe thank you for raising this topic and adding the proposal.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions, and do not cost anything unless there a vulnerability is discovered, which would be more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

I would love to answer questions about Ooki <> Hats collaboration, please tag me.

1 Like

We already insured by Tidal finance. someone of the DAO hired members could give more information about it. what is the benefit of having 2 insurance funds?

1 Like

We are not insured by Tidal Finance.

Tidal Finance

1 Like

@CryptoSteve thanks for your concern, It’s an excellent opportunity to highlight that Hats finance isn’t an insurance protocol but an on-chain bug bounty.

For now, hackers need to search the Ooki Trade Telegram mod to contact the core team regarding the bug they found. (Bug Bounty - Ooki). The proposal’s objective is to open a free on-chain bug bounty vault to encourage white hat hackers to review Ooki contracts and submit vulnerabilities instead of exploiting them.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on hats), and are free of charge. The protocol will only charge a fee if an incident has been successfully mitigated, which would be way more costly and irreversible once exploited. More importantly, it is transparent, decentralized, and gives power to the community behind the project.

I hope it is clear; please feel free to tag me whenever needed.

Thanks Truffle that sounds fairly innovative.
Ill ensure the devs are made aware and share their thoughts on it.

1 Like

Appreciated @TheBigOok :facepunch: :facepunch:

Hey @TheBigOok and @Frank! I hope that all is going well with you. Do you guys have any update for the proposal (especially from devs)? Thanks^^

Hi Fav, i do not have an update. Hope the OokiDAO developers will hop in here on the governance forum to voice their opinion on your bug bounty vault proposal.

1 Like

Hey @Fav_Truffe,

As mentioned on the discord the other day in our concersation, at this stage it looks as though the DAO isn’t keen on picking this up. If that changes in future the thread can always be revived.

Feedback from my perspective about why I don’t think its necessary:

The DAO already has a bug bounty program and I don’t believe the outlay here justifies the benefits over what we currently have. It did highlight the need to fix up our bug bounty which we have done.

Hey Ooki! Thanks for the update. Yet, i think your DAO deserves more clarification regarding what was wrong with your existing bug bounty, what did you do to fix them and why do you think that it is bulletproof now. As you know, security cannot be neglected and a hack/exploit has the potential to damage the DAO members substantially.

To clarify, there were not any substantial issues with the existing bug bounty. At the time you posted your proposal it was found that there were some elements of it missing from the Ooki docs which has been amended.

In my opinion there would be room to increase the current bounty if the DAO allows the treasury to be utilised in that way otherwise I prefer the current report>investigate>fix & reward work flow for a bounty over what Hats has on offer (as per previous comments).

What else to say: Good luck :slight_smile:

1 Like

Thank you for your time and effort Fav.

2 Likes