GIP- 14: Gnosis vault on Hats.finance

GIP- 14: Gnosis vault on Hats.finance

  • Create vault on Hats.finance
  • Make no changes

0 voters

GIP: 14
title: Hats.finance vault creation
author: Ofir Perez <sombrero@hats.finance>
status: Phase 2
type: Meta
created: 2021-9-23

Simple Summary

Following the previous forum post, a proposal is to create a Gnosis security vault on Hats.finance. Security Vaults on Hats incentivizes hackers, auditors, and the community to protect the projects and protocols contracts by promoting responsible disclosure.

  • A committee composed of Gnosis dev leadership & security auditors is assigned as reviewers for security disclosures.

  • A Gnosis vault is initialized on Hats.finance protocol, with defined severities, covered smart contracts list.

  • Community members, Gnosis Treasury, and the broad ecosystem are incentivized to deposit GNO into the vault.

  • The goal of the vault is to incentivize responsible disclosure in the case of a detected hack or exploit.

  • The dApp is live app.hats.finance

Abstract

Hats.finance is a proactive bounty protocol for white hat hackers and auditors, where projects, community members, and stakeholders incentivize protocol security and responsible disclosure.

Hats create scalable vaults using the project’s own token. The value of the bounty increases with the success of the token and project. In addition, NFT artists will create numerous unique NFTs specially minted for hackers and auditors that will responsibly disclose vulnerabilities.

We offer every participant in the Ethereum ecosystem skin in the game to ensure a more secure future for the users of #Ethereum and smart contracts in general.

Motivation

Gnosis project:

  • 24/7 audit on your protocol with a proactive approach that incentivizes the hacker to disclose the vulnerability instead of exploiting it.

  • A disclosed vulnerability means no TVL/ TOKEN and, most of all, no reputation loss.

  • PR of disclosure and fix becomes a strength to the project and its development team.

  • Attract more users to the “strong and secure protocol.”

  • Permissionless vault - token holders and the gnosis community can deposit or withdraw in the same permissionless nature.

GNO value:

  • GNO staked in Hats vault increases Gnosis security guarantees

  • Staking GNO in the hat vaults reduces circulating token supply

  • One-sided yield farming based on your GNO

  • Participating in Hats pull at this initial phase will be rewarded with extra allocation points(Extra token incentive for the first 20 projects to join). This way, the gnosis community will have extra voting power in what could become a significant security layer of the ecosystem.

Gnosis community / GNO holders:

  • Join the effort to secure the ecosystem.

  • Financial incentive in the form of Yield farming (Protocol protection mining)

  • Protect their own project token by sacrificing a portion of their token to make their holding more secure. By doing that, get $HAT and become influential in the Hats governance process.

Specification

The hats protocol is permissionless, meaning anyone can participate and lock GNO in the Hats GNO vault. The GNO vault protects the Gnosis protocol from hacks by incentivizing responsible disclosure through the Hats protocol.

If a hacker responsibly discloses an exploit through the Hats mechanism, a portion (depending on severity) of the locked GNO tokens will go to the hacker as a reward, some vested, and some immediately.

This is a win-win situation for Hackers, the Gnosis community, and the core team.

As a GNO holder: Statistically when a protocol suffers a hack or exploit its token value will drop between 35-50% at the 24 hours following the hack (Messari). It is rational to lock part of a user’s holdings to protect the rest of his holdings from a potential hack.

Hacker gets a substantial amount of FUNGIBLE money, become famous for disclosing a critical vulnerability instead of rekt’ing the protocol and its stakeholders, and receive funds without becoming a worldwide criminal.

We found out that a crucial element that can help black hat hackers to participate in protocol protection is privacy and permissionless.

The decentralization of the protocol is critical in order to incentivize anyone involved in the protocols to protect it: community, artist, investors, team members, & developers.

Rationale

Security underlies the technology of smart contracts, there isn’t such a thing as too much security. We think Ethereum dapps should include both our solution and others. The beauty of Hats being a fully permissionless protocol is that DAOs, treasuries, and individuals can deposit or withdraw funds from the vault at any point. Utilize Idle funds for active protection with full depositor control for treasuries and users alike.

The Hats contracts are public verified on Etherscan and can be found by clicking the “View Contracts Covered” under Hats vault in app.hats.finance and we are ready to onboard Gnosis GNO.

Audit and safety measures:

Audit reports

Hats is live with Hats vault containing $100K USDC worth of token to incentivize responsible disclosure.

Vault funding: Not part of this GIP

The amount of Funding the Gnosis vault on hats, by $GNO holders and Gnosis DAO is 100% controlled by you. As a community, you can choose together how important it is for you to incentivize others to make Gnosis a much safer environment. Bear in mind that funds will be released from the vault only due to vulnerability disclosure. The upside from fixing issues is drastically more valuable than the financial face value of the GNO tokens that are going to be deposited.

Implementation

  • The hats team will create the committee set up JSON file with all the open-source details we collected online.
  • Gnosis team for confirmation.
  • When this stage is completed, the vault will be displayed in hats dApp.

Gnosis Impact

Phase 2 Proposals: Please ignore this section, and leave as is. It is used for Phase 3 proposals.
Phase 3 Proposals: Replace the question in the below iframe with the relevant questionID for this GIP, then delete this paragraph. If Omen Prediction Markets have not been created for this GIP yet, or if you have any questions about retrieving the questionID, please get in touch with a forum moderator.

GnosisDAO Snapshot

Phase 2 Proposals: Please ignore this section, and leave as is. It is used for Phase 3 proposals.
Phase 3 Proposals: Add a link to the corresponding GnosisDAO Snapshot poll you’ve created.

6 Likes

Thank you for this proposal @Sombrero!

I support the proposal. Our code will get more attention from auditors and bugs are more likely to be discovered early on.

A few questions though:

  • In case a vulnerability is found, how is the bounty amount determined?
  • We have in addition our own bug bounty. I assume the first submission across bounty programs counts for the payout. Payouts should be structured the same across bounty programs.
  • I would suggest we start with one Gnosis project to be listed before we add all of them.

Hey @StefanGeorge , thank you for the support and your important questions.
I will try to answer them:

In case a vulnerability is found, how is the bounty amount determined?

The bounty amount is being determined by the committee following the vulnerability descriptions and severities that have been pre-defined by the committee. We suggest using human-readable language for vulnerability descriptions.
In general, the committee is in charge of selecting the relevant severity when approving the claim on-chain.

We have in addition our own bug bounty. I assume the first submission across bounty programs counts for the payout. Payouts should be structured the same across bounty programs.

That’s right.
As we wrote, there isn’t such a thing as too much security.
We are aware of the internal bug bounty program of Gnosis and also the other programs you have.

We believe that the reward on Hats will be bigger than your internal bug bounty. That should give enough incentive for an auditor to initially report via Hats protocol.

In general, the gnosis team will be able to choose to compensate the hacker through their preferred way in case it was submitted through multiple channels.
I would suggest we start with one Gnosis project to be listed before we add all of them.

Sounds great.
The covered contracts and severity descriptions are configurable.
We would love to start with covering Gnosis safe as we and many others in the ecosystem use it extensively.

1 Like

Thank you for the clarifications. As there is no action required from GnosisDAO, I don’t think this proposal has to be voted on by GNO token holders. Eventually, a separate proposal can be made to ask GnosisDAO to add GNO to the vault.