Gnosis <> Hats Collaboration

General
1

Overview

Hats is a decentralized cybersecurity incentive network. Governed by its community of stakeholders – Hackers, Projects, and Token holders to create an incentivized security market and and responsible disclosure.
We are creating a scalable model that utilizes the development culture of Ethereum to help secure it.

This is a proposal (discussion) for a collaboration between Gnosis and Hats. Gnosis will become one of the first organizations that secure their smart contracts using the Hats framework.

Background

We have been designing, iterating, and actively building hats for the past 6 months. We will launch v1 (fingers crossed) in mid May after a few security audits.
The idea for hats is the result of over 6 years of software development in decentralized systems and smart contracts, and a solution to personal problems we have faced as a senior R&D, CTO, and communication managers when launching a mainnet fund-holding contracts.

How will the collaboration work

  • Hats governance will create a bounty vault of GNO tokens, this farms hats in the process. Security Farming
  • The GNO vault will serve as a ongoing bounty that scales with the market cap of GNO and Gnosis.
  • The vault is a continuous incentive for hackers to actively look for bugs and exploits in Gnosis smart contracts and report on it.
  • This creates an additional utility for the GNO token to secure the Gnosis smart contracts. (Security Farming)

How does Hats work

  • In the case of a detected exploit, the hacker will disclose the vulnerability to the Gnosis committee, with an on-chain hash proof of the disclosure.
  • The committee, elected by Gnosis DAO will be composed of Gnosis core devs, security researchers, and white hat hackers, we can also use one of the Gnosis core team / Dev Team multisigs.
  • The committee is responsible to approve or deny the vulnerability submitted by the hacker
  • If approved, and according to the severity, a predetermined amount of tokens will be released to the hacker as a reward.

image

Next steps

First – We are happy to continue the discussion and answer any questions people may have here in the forum comments below.

Practical next steps

  1. Choose a committee composed of N addresses or one of the Gnosis Multisigs.
    More information on the community setup procedure can be found here

  2. Parameters
    All below parameters are examples

  • Set severity levels

    • Critical – up to 70% of the vault
    • High – Up to 50% of the vault
    • Medium up to 20% of the vault
    • Low up to 5% of the vault
    • Audit request (Custom

  • List of contract address

  • Priority / Vulnerabilities

  • Logic, Governance, Economic, ddos, Oracle manipulation, Dependencies, re-entrancy, Cryptography issues……

  • Out of scope

    • Attacks that have already been exploited
    • Access to leaked keys/credentials
    • Access to privileged addresses (governance, strategist)
    • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
    • Basic economic governance attacks (e.g. 51% attack)
    • Lack of liquidity
    • Best practice critiques
    • Sybil attacks

Would love to get the discussion going and get feedback on the proposal.

Thank you!

2

This is an introduction to hats. We will release more info soon, but feel free to ask questions or give any feedback you may have here or in our Telegram group

3

Thanks for the great proposal @Hats.

One thing that it would be nice to get some clarity on is if/why this is a better alternative than Gnosis running its own bug bounties (which it already does). For example, the :honey_pot:dao already fulfills a similar purpose.

I imagine part of this answer has to do with hats tokens, so it would be great if you could articulate what makes hats tokens valuable.

4

Hey Auryn, thanks for the question!

Hats can be used as an addition to the existing Gnosis bug bounty program.
A decentralized bug bounty platform and auditor marketplace gives additional coverage to the standard bug bounty programs maintained by the project itself. With the right incentives, we can create a central(decentralized) marketplace which will bring better exposure to auditors and whitehat hackers.

The hats token is in the center of this, and a key driver to for adoption and participation.
$HATS allows us to align incentives of all the parties involved for the long term growth of the protocol. For example – Auditors or white hat hackers receive part of their reward in vested hats tokens effectively becoming invested in the protocol after creating value for the tokens they just received by reporting an exploit. The goal is to create a feedback loop and further incentivize them to participate and report exploits through the system.

A few additional points

  • Hats is inherently a no KYC platform, which our research showed is a crucial pre-requisite for many hackers, especially those in eastern Europe and Asia.
  • High bounty value, due to $HATS incentives there is a good chance that the bounty on hats will be much higher than the bounty given by the project itself (gnosis) as it will include some additional players (insurers,investors,farmers).
  • The bounty value also scales with the success and token appreciation of GNO as opposed to a standard bounty program with no scalability.
  • Along with Hat being a governance token which gives its holder voting power to influence Hats project and other projects’ bounty programs and incentives, its value increases on each approved claim as some portion of hats will be burned (or locked away for a long time) this is still TBD.
2 Likes