Project Name: Hats Finance
I understand that I will be required to provide additional KYC information to the Optimism Foundation to receive this grant: Yes
L2 recipient address: TBD
Grant category: Governance Fund Phase 1
Is this proposal applicable to a specific committee? Yes, Tooling Committee
Project description: Hats Finance is the first on-chain bug bounty protocol that includes and incentivizes all stakeholders (token incentives awaiting the TGE) to contribute to the security of Web3 products. Hats offers a proactive incentive-based protocol for white hat hackers and auditors, where DAOs, companies, community members, and stakeholders can add liquidity to bug bounties to encourage responsible disclosure and be rewarded in return. When hackers are incentivized satisfactorily with high bounties, it becomes all the more likely they will act responsibly and disclose vulnerabilities instead of exploiting them. Accordingly, projects using Hats bug bounty protocol add a layer of security that reduces the possibility of being hacked and protects all stakeholders from the destructive consequences of such exploits. The unfortunate reality is that we will never archieve mainstream crypto adoption if people do not feel secure while using web3 products (e.g. on Optimism). Our protocol enables collective responsibility for increasing actual and perceived security through the creation of scalable bug bounty vaults that can be funded using stable coins or any other on-chain asset. Additionally, Hats protocol is designed to be part of the public goods infrastructure of Web3. We believe in providing a security primitive that is composable and allows community participation. Now is the right time to deploy this kind of infrastructure to roll-ups and support the creation of an ecosystem on L2s by reducing the risk of exploits that harm projects and retail users alike.
Ofir Perez, Head of Growth - Twitter
Jelle Gerbrandy, Head of Solidity - Github
Carlos Fontes, Front-End - Github
Please link to any previous projects the team has meaningfully contributed to:
Shay Zluf, - Shay is Hats’ lead dev and Hats visionary. Shay is an Ethereum OG and can be best described as a decentralizer of the ecosystem and incentivizer of desired outcomes. He was also part of the “Prysmatic Labs” team developing the Ethereum 2.0 client.
Relevant usage metrics:
- 26 Bounty Vaults
- $1.7m TVL
- 25% of TVL from the community
- Strong growth in the community of security researchers
Competitors, peers, or similar projects:
- Hats bug bounty vaults are loaded with the native token, stablecoins, or yield-bearing token (Support in V2) of the project thus reducing the free-floating supply while giving the token additional utility.
- Scalable bounty network — vault TVL increases with the project’s success.
- Open & Permissionless —
- Anyone can participate in the protection of an asset (Optimism ecosystem projects, their community members, and OP users).
- Any hacker can participate anonymously when disclosing exploits (no KYC needed).
- In the future, every depositor could earn rewards when providing liquidity.
- Continuous protection — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats instead of hacking.
Is/will this project be open sourced?: Yes. Everything is already open source.
Optimism native?: No.
Date of deployment/expected deployment on Optimism: TBD - We expect to be deployed on Optimism early-mid February.
Ecosystem Value Proposition:
Direct losses from Hacks and Exploits exceeded $15b in the past two years and over $3b has been stolen by hackers this year alone. Unlike audits (which are confined to a specific time period), bug bounty programs provide a continuous layer of security to identify smart contract bugs and keep users safe. We request 200k $OP tokens to incentivize $OP ecosystem projects to create a bug bounty vault on Hats protocol to take an ongoing and on-chain security precaution. In contrast to Hats’ protocol, other bug bounty solutions offered today run counter to Optimism values of decentralization, permissionless-ness, open-sourced and accessibility to all. Additionally, there is currently no other bug bounty protocol incentivizing all stakeholders (teams, investors, DAO, community members, node operators, etc.) to help protect their projects and the underlying infrastructure against exploits and hacks. We believe that Optimism’s taking an initiative to incentivize the on-chain and ongoing security efforts of OP ecosystem projects will be an innovative and distinguishable approach to be adopted as a network.
Hats.finance is an on-chain decentralized bug bounty platform designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance encourages community participation allowing anyone to add liquidity to a smart bug bounty. Hats also allows hackers to responsibly disclose vulnerabilities without KYC and be rewarded with scalable prizes and NFTs for their work.
Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on Hats), and setting them up is free of charge. Bug bounty programs do not cost anything unless a vulnerability is discovered, which would be more costly and irreversible once exploited. More importantly, a bug bounty at Hats is transparent, and decentralized and gives power to the community behind the project.
Security underlies the technology of smart contracts and we strongly believe the future of cybersecurity has aligned incentives. We are taking leadership in relation to these principles by creating a decentralized bug bounty marketplace that creates the right incentives for all of its participants.
We are already working with a variety of protocols today, from Liquity to DXdao, securing their protocols using the Hats smart contracts. We are in the final stages of developing Hats V2, and would love to work with, and host bug bounties for Optimism ecosystem projects.
As is seen at the charts above, Optimism ecosystem projects would be required to select and set up a committee for the bug bounty vault.
The Committees responsibility:
- Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter ASAP and ideally within 12 hours)
- Approve claims within a reasonable time frame (Max. of 6 days)
- Set up repositories and contracts under review (A list of all contracts covered by the bounty program separated by severity)
Has your project previously applied for an OP grant?: No
Number of OP tokens requested: 200k
Did the project apply for or receive OP tokens through the Foundation Partner Fund?: No
If OP tokens were requested from the Foundation Partner Fund, what was the amount?: NA
How much will your project match in co-incentives? (not required but recommended, when applicable): Hats will match the incentives but the exact amount cannot be disclosed prior to the TGE for multiple reasons.
Proposal for token distribution:
200k $OP tokens are used to incentivize depositors (including project DAOs, investors, community members, and audit firms) to the vault
Hats and OP tokens will be rewarded in a hybrid liquidity mining scheme to LPs of bug bounties. The rewards should be allocated to the different bounties based on Quadratic Market capitalization, Quadratic TVL, and the amount of liquidity that is provided by the responsible DAO. If the liquidity incentives will be deployed before the $HAT TGE has taken place the initial phase will be rewarded only by OP tokens.
How will this distribution incentivize usage and liquidity on Optimism?
- Generate more trust in the Optimism ecosystem security
- Mitigate events that will harm user adoption and the reputation of the ecosystem
- Bring the attention of a valuable target audience: Developers & Security Researchers
- Give governance tokens on Optimism more utility
- Stake to increase security
- Stake to farm yield
- Decrease the free-floating supply of the respective governance tokens
Why will the incentivized users and liquidity remain after incentives dry up?
- Increasing the security will give more users the required trust to use the optimistic roll-up
- Users that get burned by an exploit are unlikely to stay active participants in the crypto space.
- Bug bounties are not necessarily aimed at rogue yield farmers since the risk/return profile only makes sense for market participants that already have a vested interest such as builders, long-term aligned community members, and users with locked assets. In other words, wewards will get channeled into the right hands.
Over what period of time will the tokens be distributed?
We plan to run our own liquidity mining scheme over a period of two years.
How much will your project match in co-incentives?
We plan to incentivize based on the number of vaults. The goal is to reach a sufficient bounty size for each project.