Proposal Details
Proposal #173
Proposal title
Bug Bounty Vault Proposal by Hats Finance
Submit time
Deposit end time
Voting start time
Voting end time
Tally result
Proposal #173 description
##Summary: Proposal for Gravity Bridge to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Gravity Bridge smart contracts. ##Context and Specification: Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work. Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project. On-chain submission: With the values of decentralization, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms. The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (Automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot. The tx fee acts as a spam filter and can be set to a higher value. The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp. ##Argument for: The key advantage of Hats solution compared to traditional, centralized bug bounty services: Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility. Scalable bounty network — vault TVL increases with success / token appreciation of the project. Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed) In the future when providing liquidity(taking risk) every depositor could earn $HAT tokens. Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project. ##Argument against: The only downside that one can claim is the loss of opportunity cost by putting the bounty amount on chain. However, DAOs can choose to fund the bug bounty with any yield-bearing token and therefore the loss of opportunity cost risk is eliminated. ##Required actions: In case that the proposal gets accepted, Gravity DAO is expected to: 1- Choose and set up a committee 2- Vote on the amount the DAO will contribute to the bug bounty program (How much $GRAV or yield bearing assets to be used from the treasury for the initial deposit) Onboarding action items: Choosing a committee: The committee is preferably the public multisig contract of Gravity Bridge or a multisig specifically set up to manage the bounty program. The Committees responsibility: Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours). Approve claims within a reasonable time frame (Max. of 6 days) Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity) ##Resources: https://linktr.ee/Hats_Finance Hats contracts 1 , Hats Audit , Hats tokenomics , DeFisafety report