[DRAFT][GF: Phase 1 Proposal] Hats Finance [ARCHIVED ORIGINAL]

Project Name: Hats Finance

Author Name and Contact Info: Fav Truffe Twitter & Oliver Hörr Twitter/Linkedin

I understand that I will be required to provide additional KYC information to the Optimism Foundation to receive this grant: Yes

L2 recipient address: TBD

Grant category: Governance Fund Phase 1

Is this proposal applicable to a specific committee? Yes, Tooling Committee

Project description: Hats Finance is the first on-chain bug bounty protocol that includes and incentivizes all stakeholders (token incentives awaiting the TGE) to contribute to the security of Web3 products. Hats offers a proactive incentive-based protocol for white hat hackers and auditors, where DAOs, companies, community members, and stakeholders can add liquidity to bug bounties to encourage responsible disclosure and be rewarded in return. When hackers are incentivized satisfactorily with high bounties, it becomes all the more likely they will act responsibly and disclose vulnerabilities instead of exploiting them. Accordingly, projects using Hats bug bounty protocol add a layer of security that reduces the possibility of being hacked and protects all stakeholders from the destructive consequences of such exploits. The unfortunate reality is that we will never archieve mainstream crypto adoption if people do not feel secure while using web3 products (e.g. on Optimism). Our protocol enables collective responsibility for increasing actual and perceived security through the creation of scalable bug bounty vaults that can be funded using stable coins or any other on-chain asset. Additionally, Hats protocol is designed to be part of the public goods infrastructure of Web3. We believe in providing a security primitive that is composable and allows community participation. Now is the right time to deploy this kind of infrastructure to roll-ups and support the creation of an ecosystem on L2s by reducing the risk of exploits that harm projects and retail users alike.

Project links:

Hats contracts 1 , Hats Audit , Hats tokenomics , DeFisafety report

Additional team member info:
Shay Zluf, CTO, and Hats Architect - Twitter GitHub

Ofir Perez, Head of Growth - Twitter

Jelle Gerbrandy, Head of Solidity - Github

Carlos Fontes, Front-End - Github

Please link to any previous projects the team has meaningfully contributed to:

Shay Zluf, - Shay is Hats’ lead dev and Hats visionary. Shay is an Ethereum OG and can be best described as a decentralizer of the ecosystem and incentivizer of desired outcomes. He was also part of the “Prysmatic Labs” team developing the Ethereum 2.0 client.

Relevant usage metrics:

  • 26 Bounty Vaults
  • $1.7m TVL
  • 25% of TVL from the community
  • Strong growth in the community of security researchers

Competitors, peers, or similar projects:

The key advantage of Hats Protocol vs. the traditional, centralized bug bounty services are:

  • Hats bug bounty vaults are loaded with the native token, stablecoins, or yield-bearing token (Support in V2) of the project thus reducing the free-floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with the project’s success.
  • Open & Permissionless —
    • Anyone can participate in the protection of an asset (Optimism ecosystem projects, their community members, and OP users).
    • Any hacker can participate anonymously when disclosing exploits (no KYC needed).
  • In the future, every depositor could earn rewards when providing liquidity.
  • Continuous protection — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats instead of hacking.

Is/will this project be open sourced?: Yes. Everything is already open source.

Optimism native?: No.

Date of deployment/expected deployment on Optimism: TBD - We expect to be deployed on Optimism early-mid February.

Ecosystem Value Proposition:

Direct losses from Hacks and Exploits exceeded $15b in the past two years and over $3b has been stolen by hackers this year alone. Unlike audits (which are confined to a specific time period), bug bounty programs provide a continuous layer of security to identify smart contract bugs and keep users safe. We request 200k $OP tokens to incentivize $OP ecosystem projects to create a bug bounty vault on Hats protocol to take an ongoing and on-chain security precaution. In contrast to Hats’ protocol, other bug bounty solutions offered today run counter to Optimism values of decentralization, permissionless-ness, open-sourced and accessibility to all. Additionally, there is currently no other bug bounty protocol incentivizing all stakeholders (teams, investors, DAO, community members, node operators, etc.) to help protect their projects and the underlying infrastructure against exploits and hacks. We believe that Optimism’s taking an initiative to incentivize the on-chain and ongoing security efforts of OP ecosystem projects will be an innovative and distinguishable approach to be adopted as a network.

Hats.finance is an on-chain decentralized bug bounty platform designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance encourages community participation allowing anyone to add liquidity to a smart bug bounty. Hats also allows hackers to responsibly disclose vulnerabilities without KYC and be rewarded with scalable prizes and NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes around 1 hour to open a vault on Hats), and setting them up is free of charge. Bug bounty programs do not cost anything unless a vulnerability is discovered, which would be more costly and irreversible once exploited. More importantly, a bug bounty at Hats is transparent, and decentralized and gives power to the community behind the project.

Security underlies the technology of smart contracts and we strongly believe the future of cybersecurity has aligned incentives. We are taking leadership in relation to these principles by creating a decentralized bug bounty marketplace that creates the right incentives for all of its participants.

We are already working with a variety of protocols today, from Liquity to DXdao, securing their protocols using the Hats smart contracts. We are in the final stages of developing Hats V2, and would love to work with, and host bug bounties for Optimism ecosystem projects.

How Hats Bounty Program Works

As is seen at the charts above, Optimism ecosystem projects would be required to select and set up a committee for the bug bounty vault.

The Committees responsibility:

  • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter ASAP and ideally within 12 hours)
  • Approve claims within a reasonable time frame (Max. of 6 days)
  • Set up repositories and contracts under review (A list of all contracts covered by the bounty program separated by severity)

Has your project previously applied for an OP grant?: No

Number of OP tokens requested: 200k

Did the project apply for or receive OP tokens through the Foundation Partner Fund?: No

If OP tokens were requested from the Foundation Partner Fund, what was the amount?: NA

How much will your project match in co-incentives? (not required but recommended, when applicable): Hats will match the incentives but the exact amount cannot be disclosed prior to the TGE for multiple reasons.

Proposal for token distribution:

200k $OP tokens are used to incentivize depositors (including project DAOs, investors, community members, and audit firms) to the vault
Hats and OP tokens will be rewarded in a hybrid liquidity mining scheme to LPs of bug bounties. The rewards should be allocated to the different bounties based on Quadratic Market capitalization, Quadratic TVL, and the amount of liquidity that is provided by the responsible DAO. If the liquidity incentives will be deployed before the $HAT TGE has taken place the initial phase will be rewarded only by OP tokens.

How will this distribution incentivize usage and liquidity on Optimism?

  • Generate more trust in the Optimism ecosystem security
  • Mitigate events that will harm user adoption and the reputation of the ecosystem
  • Bring the attention of a valuable target audience: Developers & Security Researchers
  • Give governance tokens on Optimism more utility
    • Stake to increase security
    • Stake to farm yield
  • Decrease the free-floating supply of the respective governance tokens

Why will the incentivized users and liquidity remain after incentives dry up?

  • Increasing the security will give more users the required trust to use the optimistic roll-up
  • Users that get burned by an exploit are unlikely to stay active participants in the crypto space.
  • Bug bounties are not necessarily aimed at rogue yield farmers since the risk/return profile only makes sense for market participants that already have a vested interest such as builders, long-term aligned community members, and users with locked assets. In other words, wewards will get channeled into the right hands.

Over what period of time will the tokens be distributed?
We plan to run our own liquidity mining scheme over a period of two years.

How much will your project match in co-incentives?
We plan to incentivize based on the number of vaults. The goal is to reach a sufficient bounty size for each project.

8 Likes

Hey everyone, I’m the director of operations at Hats.
I just wanted to say that we at Hats really love the approach the Optimism community is taking in regard to funding public goods and infrastructure. It would be amazing if our protocol could become part of the optimism infrastructure so we can do our share to make the optimism layer and its DeFi ecosystem safer!

Currently, we are only deployed on Ethereum and we want to expand to the optimism roll-up since Optimism is the protocol we feel most aligned with.

Hacks are still one of the biggest roadblocks toward real mainstream adoption. Retail users that once got burned will lose trust in this revolution we are building. Therefore we made it our core mission to increase security for everyone by tackling incentive issues within security processes.

We are open to any kind of questions or feedback regarding the proposal.

5 Likes

although there is not much use on L1, I hope to promote ecological prosperity on L2

1 Like

Thanks for the support @lazeeeerlin! We will be doing our best to help secure OP (and ecosystem projects).

:raised_hands: :raised_hands: :raised_hands: :raised_hands: Apoyando a Hats Finance siempre!

2 Likes

Hats is a good project, which can protect contracts and assets out of attack.
hackers are important in this ecosystem, and we thought they can change their mind and do things in the right way, rather than stolen money, so hats created some valuts ,and everyone can deposit their assets in order to increase the bug bounty and in the mean while , earn some $HATS; so this is a all -win situation.

gooood project.

2 Likes

From all the bug bounty protocols/projects I know, this looks like the best-oriented in terms of transparency using almost every possible on-chain option to solve this problem.

But as others project, the off-chain encrypted communications are odd. I understand you can not disclose a white hat hacker communication as this can end up in someone else picking the hack before the solution comes in.

How can you assure the white hat hacker to be paid by the service if there’s no public information about their finding?

You say “Option 1” but I see no other options.

What does it mean 150k $OP tokens are used to fund the bug bounty vault? Will this be specifically for Optimism L2 bugs or will it cover things other protocols inside Optimism?

“50k $OP tokens are used to incentivize depositors to the vault” If I provide liquidity to the vault, am I getting OP tokens in return If optimism L2 it’s not hacked nor a bug is found?

TBH this is one of those proposals I like because it comes with a solution to a real problem and is a no-brainer in terms of use.

4 Likes

Hey Dhannte,
thanks for your questions.

Once a security researcher submits a report via our UI the report is encrypted and pinned to IFPS a hash of it is written on the chain. Later on, this helps the hacker to prove what he has submitted with a timestamp of the submission.

We are working on complete on-chain communication together with some partners but this feature will take some time until it’s viable.

The $150k of OP tokens will be used to cover the Optimism tech stack itself. The Optimism team can choose if all parts or only specific parts are covered by the bug bounty.

The $50k OP tokens are used to reward LPs of Bug Bounties in a Liquidity Mining program. This will be shared between all vaults that are deployed on the Optimism L2. We are already in talks with some projects that would like to deploy a bounty vault once we are live on Optimism.

Thanks for pointing this out. We will make the proposal clearer for the next stage!

3 Likes

Thanks for the proposal! Wanted to flag that Token House delegates are currently in a Reflection Period, which will be followed by 2 Special Voting Cycles.

This means that the next opportunity for grant proposals to be reviewed will be at the start of Season 3, which is set to begin on January 19th.

We appreciate your patience as we’re taking this time to work through some changes that we hope will improve the proposer experience in Season 3.

1 Like

Hey @lavande! Thank you very much for the heads up.

Its perfectly okay with us since we will be using this time for #buidling and working on our dApp/ Optimism integration / proposal, etc.

Looking forward to rocking in the next voting cycle :slight_smile:

Thanks for putting this proposal together. It’s exciting to see experiments with new ways to handle bug bounties.

Given that ¾ of the requested OP is to fund a bug bounty for the Optimism software stack itself, this request seems like it doesn’t belong in the Governance Fund grant program. It appears to be more of a vendor solicitation.

Optimism itself is already the subject of a $2,000,000 bug bounty program on Immunefi, so if Hats Finance wants to supplement that program, it would make a lot of sense to structure this as a non-grant proposal. I’m sure @lavande can assist you with guidelines on how to do so.

Alternatively, if the intent is to get a grant that would support Hats Finance, our general recommendation is to make the request more about the Hats Finance protocol, the unmet needs it believes it can meet on Optimism, and a clear breakdown of how a grant of OP can lead to improvements or adoption that provide positive externalities to the whole Optimism ecosystem.

3 Likes

Hey @GFXlabs! Thanks a lot for the comment and guidance.

We have edited the proposal above thanks to your comment in accordance with @lavande and @binji 's recommendations and the proposal is now targeting to incentivize OP ecosystem projects to set up a bug bounty on Hats protocol as a security precaution.

Really appreciate the help @GFXlabs :slight_smile:

2 Likes