This is a proposal for Uniswap to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Uniswap smart contracts.
The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like Uniswap is.
This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the Uniswap smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Uniswap. Liquidity can be added (with $UNI and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.
Hats.finance is an on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.
Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.
On-chain submission:
With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.
The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.
The tx fee acts as a spam filter and can be set to a higher value (in the future).
The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.
In case that the proposal gets accepted, Uniswap is expected to:
1- Choose and set up a committee
2- Vote for DAO participation amount
Onboarding action items:
The key advantage of Hats solution compared to traditional, centralized bug bounty services:
Additional advantages of deployment of the existing Uniswap bug bounty program on Hats Protocol:
Since Uniswap DAO will be farming $HAT tokens with its bounty (after TGE), it's a cost negative opportunity for Uniswap DAO.
A security researcher recently found a critical severity within Premia Finance’s staking contracts and got rewarded $70k for his responsible disclosure:
https://twitter.com/HatsFinance/status/1663243357160890369)
In one of the recent audit competitions, the security researchers could find 3 critical severities in Raft Finance’s code in a 7 days long audit contest even if the project went under an extensive audit by one of the top-tier auditing firms in the space:
https://hatsfinance.medium.com/raft-finance-audit-competition-final-note-16e87dce23a2
A security researcher could find a medium severity vulnerability in HOPR contracts:
This is a proposal for Uniswap to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Uniswap smart contracts.
The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like Uniswap is.
This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the Uniswap smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Uniswap. Liquidity can be added (with $UNI and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.
Hats.finance is an on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.
Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.
On-chain submission:
With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.
The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.
The tx fee acts as a spam filter and can be set to a higher value (in the future).
The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.
In case that the proposal gets accepted, Uniswap is expected to:
1- Choose and set up a committee
2- Vote for DAO participation amount
Onboarding action items:
The key advantage of Hats solution compared to traditional, centralized bug bounty services:
Additional advantages of deployment of the existing Uniswap bug bounty program on Hats Protocol:
Since Uniswap DAO will be farming $HAT tokens with its bounty (after TGE), it's a cost negative opportunity for Uniswap DAO.
A security researcher recently found a critical severity within Premia Finance’s staking contracts and got rewarded $70k for his responsible disclosure:
https://twitter.com/HatsFinance/status/1663243357160890369)
In one of the recent audit competitions, the security researchers could find 3 critical severities in Raft Finance’s code in a 7 days long audit contest even if the project went under an extensive audit by one of the top-tier auditing firms in the space:
https://hatsfinance.medium.com/raft-finance-audit-competition-final-note-16e87dce23a2
A security researcher could find a medium severity vulnerability in HOPR contracts:
For example, using the same logic, although Hats Finance is a web3 project, the links you shared above are Medium and Twitter, which are both Web2.
For example, using the same logic, although Hats Finance is a web3 project, the links you shared above are Medium and Twitter, which are both Web2.
Sorry, you are right. Here is the link to our dApp: https://app.hats.finance/bug-bounties
So once again, beside web2 vs web3 difference, the focus should be on whether there are issues with the current Uniswap bug bounty program. This will be helpful to the community to evaluate.
Secondly, bug bounty vaults on Hats Finance are open to everybody. Accordingly, investors, DAO members, community members, etc. can deposit to the vault and top up the bounty amount (make it more incentivizing for security researchers).
Thirdly, Hats Finance is on-chain and therefore the submissions require a transaction fee. This fee itself is acting as a spam filter but if deemed not enough, Uniswap can increase the fee to submit a report to create a paywall (to increase the efficiency of spam filter). This is very important because its widely known that some web2 bug bounty companies are paying some security researchers to submit reports (to sell triage service to the projects).
Fourthly, Uniswap DAO can potentially farm $HAT tokens (after TGE) with its bug bounty vault.
Fifthly, there is not any monthly/quarterly/yearly fee to host the bug bounty program on Hats.
Sixthly Hats Finance, as a decentralized protocol, is anon-friendly. Considering the fact that white hatting might be troublesome in some countries and some white hats are very sensitive about their privacy, Hats has the capability to target more security researchers.
Security researcher has to pay an upfront fee to escalate the case and if the court does not agree with the security researcher, he loses this fee.
I noticed the team actually paid 40k for own, which included one high severity.
Thus, I recommend the Uniswap governance to push for fairer deals such as Hats team matching Uniswap’s contributing fund (if approved) and/or rebating the 10% payout.
Last but not the least, I do not want to consider Uniswap partnership as a paid promotion with all due respect.
For example, using the same logic, although Hats Finance is a web3 project, the links you shared above are Medium and Twitter, which are both Web2.
For example, using the same logic, although Hats Finance is a web3 project, the links you shared above are Medium and Twitter, which are both Web2.
Sorry, you are right. Here is the link to our dApp: https://app.hats.finance/bug-bounties
So once again, beside web2 vs web3 difference, the focus should be on whether there are issues with the current Uniswap bug bounty program. This will be helpful to the community to evaluate.
Secondly, bug bounty vaults on Hats Finance are open to everybody. Accordingly, investors, DAO members, community members, etc. can deposit to the vault and top up the bounty amount (make it more incentivizing for security researchers).
Thirdly, Hats Finance is on-chain and therefore the submissions require a transaction fee. This fee itself is acting as a spam filter but if deemed not enough, Uniswap can increase the fee to submit a report to create a paywall (to increase the efficiency of spam filter). This is very important because its widely known that some web2 bug bounty companies are paying some security researchers to submit reports (to sell triage service to the projects).
Fourthly, Uniswap DAO can potentially farm $HAT tokens (after TGE) with its bug bounty vault.
Fifthly, there is not any monthly/quarterly/yearly fee to host the bug bounty program on Hats.
Sixthly Hats Finance, as a decentralized protocol, is anon-friendly. Considering the fact that white hatting might be troublesome in some countries and some white hats are very sensitive about their privacy, Hats has the capability to target more security researchers.
Security researcher has to pay an upfront fee to escalate the case and if the court does not agree with the security researcher, he loses this fee.
I noticed the team actually paid 40k for own, which included one high severity.
Thus, I recommend the Uniswap governance to push for fairer deals such as Hats team matching Uniswap’s contributing fund (if approved) and/or rebating the 10% payout.
Last but not the least, I do not want to consider Uniswap partnership as a paid promotion with all due respect.
Hey @Doo_StableLab! Thanks a lot for taking the time to reflect.
Can you share some light on current Uniswap’s bug bounty programs and in your opinion, why it’s not sufficient?
Hey @Doo_StableLab! Thanks a lot for taking the time to reflect.
Can you share some light on current Uniswap’s bug bounty programs and in your opinion, why it’s not sufficient?
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives? I am of the opinion that it would contribute a lot to the wider ecosystem if Web3 projects, especially top-notch ones like Uniswap, would prioritize Web3 native products over centralized/Web2 alternatives.
I feel like all of those can be done in the current model? For example, if needed, give out in $UNI token or not paying the reward at once?
Hats Finance is very well known in security and Uniswap's deployment of its bug bounty program on Hats protocol would potentially enrich the target audience.
Secondly, Hats Finance provides the security researchers with decentralized dispute court (in partnership with Kleros court). Accordingly, security researchers would be more comfortable with submitting vulnerabilities on Hats protocol from a game-theory perspective with the idea that a specialized third party court will see their case if they are treated unfairly.
This is a misleading comment as we don’t know the price of $HAT in the future. Therefore, if the team indeed believes that “cost negative opportunity” then we suggest the team guarantees that if the cost is greater than the token farmed, the team provides needed fund to fill the gap.
You are right! I made a mistake while editting the proposal. The way it should be was "Since Uniswap can use any yield-bearing token to fund the bug bounty vault, there will not be any opportunity-cost for Uniswap."
Additionally, potentially farming $HAT token would be another advantage over the current implementation of Uniswap bug bounty program.
Appreciate the questions, looking forward to hearing more :slight_smile:
Hey @Doo_StableLab! Thanks a lot for taking the time to reflect.
Can you share some light on current Uniswap’s bug bounty programs and in your opinion, why it’s not sufficient?
Hey @Doo_StableLab! Thanks a lot for taking the time to reflect.
Can you share some light on current Uniswap’s bug bounty programs and in your opinion, why it’s not sufficient?
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives? I am of the opinion that it would contribute a lot to the wider ecosystem if Web3 projects, especially top-notch ones like Uniswap, would prioritize Web3 native products over centralized/Web2 alternatives.
I feel like all of those can be done in the current model? For example, if needed, give out in $UNI token or not paying the reward at once?
Hats Finance is very well known in security and Uniswap's deployment of its bug bounty program on Hats protocol would potentially enrich the target audience.
Secondly, Hats Finance provides the security researchers with decentralized dispute court (in partnership with Kleros court). Accordingly, security researchers would be more comfortable with submitting vulnerabilities on Hats protocol from a game-theory perspective with the idea that a specialized third party court will see their case if they are treated unfairly.
This is a misleading comment as we don’t know the price of $HAT in the future. Therefore, if the team indeed believes that “cost negative opportunity” then we suggest the team guarantees that if the cost is greater than the token farmed, the team provides needed fund to fill the gap.
You are right! I made a mistake while editting the proposal. The way it should be was "Since Uniswap can use any yield-bearing token to fund the bug bounty vault, there will not be any opportunity-cost for Uniswap."
Additionally, potentially farming $HAT token would be another advantage over the current implementation of Uniswap bug bounty program.
Appreciate the questions, looking forward to hearing more :slight_smile:
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives?
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives?
So once again, beside web2 vs web3 difference, the focus should be on whether there are issues with the current Uniswap bug bounty program. This will be helpful to the community to evaluate.
Secondly, Hats Finance provides the security researchers with decentralized dispute court (in partnership with Kleros court). Accordingly, security researchers would be more comfortable with submitting vulnerabilities on Hats protocol from a game-theory perspective with the idea that a specialized third party court will see their case if they are treated unfairly.
“Since Uniswap can use any yield-bearing token to fund the bug bounty vault, there will not be any opportunity-cost for Uniswap.”
I think we have different opinions about what is opportunity cost. Because Uniswap team can just have yield-bearing token in its treasury. In fact, Uniswap has to bear potential risk of exploit with Hats Finance, which the Hats team yourselves are aware of. It's a good practice to defend your own of course, but just clarifying that it's not risk free vault. And I noticed the team actually paid 40k for own, which included one high severity.
The high severity was this one which titled "First depositor can partially steal deposits and DoS vaults" https://github.com/hats-finance/hats-contracts/pull/393
Therefore, this is a risk the Uniswap community should consider. In addition, as Uniswap is a top 5 DeFi protocol, if integrated, Uniswap will be their biggest DeFi partner, which undoubtedly would be beneficial for Hats Finance community and development. Thus, I recommend the Uniswap governance to push for fairer deals such as Hats team matching Uniswap's contributing fund (if approved) and/or rebating the 10% payout.
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives?
In my humble opinion, Uniswap, as the market leader in DeFi, should be at the forefront to support decentralization ethos. Otherwise, why use Uniswap instead of centralized Web2 alternatives?
So once again, beside web2 vs web3 difference, the focus should be on whether there are issues with the current Uniswap bug bounty program. This will be helpful to the community to evaluate.
Secondly, Hats Finance provides the security researchers with decentralized dispute court (in partnership with Kleros court). Accordingly, security researchers would be more comfortable with submitting vulnerabilities on Hats protocol from a game-theory perspective with the idea that a specialized third party court will see their case if they are treated unfairly.
“Since Uniswap can use any yield-bearing token to fund the bug bounty vault, there will not be any opportunity-cost for Uniswap.”
I think we have different opinions about what is opportunity cost. Because Uniswap team can just have yield-bearing token in its treasury. In fact, Uniswap has to bear potential risk of exploit with Hats Finance, which the Hats team yourselves are aware of. It's a good practice to defend your own of course, but just clarifying that it's not risk free vault. And I noticed the team actually paid 40k for own, which included one high severity.
The high severity was this one which titled "First depositor can partially steal deposits and DoS vaults" https://github.com/hats-finance/hats-contracts/pull/393
Therefore, this is a risk the Uniswap community should consider. In addition, as Uniswap is a top 5 DeFi protocol, if integrated, Uniswap will be their biggest DeFi partner, which undoubtedly would be beneficial for Hats Finance community and development. Thus, I recommend the Uniswap governance to push for fairer deals such as Hats team matching Uniswap's contributing fund (if approved) and/or rebating the 10% payout.
Can you share some light on current Uniswap's bug bounty programs and in your opinion, why it's not sufficient?
Can you share some light on current Uniswap's bug bounty programs and in your opinion, why it's not sufficient?
Since Uniswap DAO will be farming $HAT tokens with its bounty (after TGE), it’s a cost negative opportunity for Uniswap DAO.
Can you share some light on current Uniswap's bug bounty programs and in your opinion, why it's not sufficient?
Can you share some light on current Uniswap's bug bounty programs and in your opinion, why it's not sufficient?
Since Uniswap DAO will be farming $HAT tokens with its bounty (after TGE), it’s a cost negative opportunity for Uniswap DAO.
