Bug Bounty Vault Proposal by Hats Finance

Simple Summary

This is a proposal for Lyra Finance to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Lyra Finance smart contracts.

Abstract

The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like Lyra Finance is.

This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the Lyra Finance smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Lyra Finance. Liquidity can be added (with $LYRA and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.

Motivation

Hats.finance is a on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

On-chain submission:

With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.

The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (Automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.

The tx fee acts as a spam filter and can be set to a higher value (in the future).

The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.

Specification

In case that the proposal gets accepted, Lyra Finance is expected to:

1- Choose and set up a committee

2- Vote for DAO participation amount (We believe that it would be ideal to allocate 2%-4% of the circulating supply for the bug bounty vault but any community feedback is appreciated)

Onboarding action items:

  • Choosing a committee: The committee is preferably the public multisig contract of Lyra Finance or a multisig specifically set up to manage the bounty program. We believe that Risk Council or Grants Council would be an appropriate fit for the committee.
  • The Committees responsibility:
    • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
    • Approve claims within a reasonable time frame (Max. of 6 days)
    • Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)

Rationale

The key advantage of Hats solution compared to traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity (taking risk) every depositor could earn $HAT tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

Additional advantages of deployment of the existing Lyra Finance bug bounty program on Hats Protocol:

  • Lyra Finance can reach out to many more security researchers (aka white hat hackers) with a bounty on Hats protocol and each scrutiny will make Lyra Finance safer.
  • Lyra Finance can fund the bug bounty vault on Hats with its own native token ($LYRA or yield bearing token)
  • The bounty reward for the submitter is not paid at once to reduce the price pressure on the project token.

Since Lyra Finance will be farming $HAT tokens with its bounty, it’s a cost negative opportunity for Lyra Finance.

Test Cases

A security researcher recently found a critical severity within Premia Finance’s staking contracts and got rewarded $70k for his responsible disclosure: https://twitter.com/HatsFinance/status/1663243357160890369

In one of the recent audit competitions, the security researchers could find 3 critical severities in Raft Finance’s code in a 7 days long audit contest even if the project went under an extensive audit by one of the top-tier auditing firms in the space:

A security researcher could find a medium severity vulnerability in HOPR contracts:

Copyright Waiver

Copyright and related rights waived via CC0.

6 Likes

This is a great proposal, I am a big fan of Hats Finance! This is a great way to bring additional security at no added cost unless a vulnerability is found, Hats Finance and their community have a proven track record of finding and disclosing vulnerabilities and providing great value to many defi protocols.

My suggestion would be to use the current risk council or Grants as reviewers of any submissions. 2-4% of circulating supply seems quite high, 2% would be ~$650k at current prices. My suggestion based on other bounties available would be between 500k-1M LYRA (~$40k-$80k at the time of writing).

We may need to set up a pool if the proposal has support and then specify an address for tokens to be sent to for an on-chain vote. CC @mjs

4 Likes

I’m in favour of establishing a pool on Hats Finance. Our objective is to bolster the security of the protocol as much as possible through audits, bug bounties and industry standard security practices. Setting up a committee on Hats looks like a valuable tool to further diversify the stack currently in place to protect users.

4 Likes

Hey @ksett! Much obliged with all the reflection. We are trying our best to include and decentralize the security blocks which will make DeFi a safer space.

I think a similar case would be Premia Finance, which has similar TVL and MC with Lyra Finance, and Premia had a $100k bounty before the payout for the critical vulnerability.

It is super easy and takes less than 30 mins for a non-dev to create a vault on Hats protocol by using our client-side vault editor.

3 Likes

Appreciate the comment and support @CodyAdam! It really makes me sad to see the projects, which i am in contact with and put the bug bounty on hold, getting rekt every few days. I am very glad that Lyra Finance is adopting an admirable approach to security in the space.

3 Likes

Thanks for the post @Fav_Truffe

With governance v2 we’ve moved away from multisigs acting on behalf of the DAO. What you would do is specify the transactions in a smart contract and governance will execute them automatically, subject to the proposal being approved.

What transactions need to be taken? It sounds like there are at least two:

  1. Nominate committee
  2. Deposit LYRA into rewards pool

Any others?

4 Likes

Appreciate the update regarding the governance v2 @mjs.

I think what you have described is pretty applicable but we would love to hop on a call for demo show of our dApp and exploring how to integrate.

cc: I DMed @ksett to set up a call and it would be awesome if you could coordinate one.

2 Likes

How does this fit into the current auditing of the Lyra contracts? With v2 coming, the contracts for those will have to be audited, there must already be a procedure in place. Sherlock and Iosiro are current audit partners.

Lyra already has a bounty programme:

or is this now outdated?

Also, what are the advantages of Hats Finance over running a code4rena contest?

4 Likes

Thanjs for the reflection @Ethboi!

1- Bug Bounty and Audits are two different things. Bug bounty is for deployed contracts while audits are for pre-deployed contracts.

We do have an audit competition product as well which might be very relevant for your upcoming v2 smart contracts. As for the differences between Hats and Code4rena;

  • Code4Arena has remarkably high fees (30% to 40% on top of the bounty. For example, you need to pay $130k-$140k for $100k worth of contest on C4). But, Hats is B2B free and we take 10% cut from the security researchers.

  • If there are 20 submissions for the same issue on a Code4rena contest, the reward for that issue is divided among 20 security researchers. This results in lower payouts. However, the bounty is rewarded to the first submission on Hats Finance (FCFS) and therefore we believe that experienced security researchers prioritize competitions on Hats Protocol.

  • You dont need to book a slot months earlier. You can easily set up the competition in 7 days notice on Hats protocol.

  • Teams get the vulnerabilities in real time and can start fixing asap and dont need to wait for the competition to end and reports to be compiled to start fixing the vulnerabilities on Hats.

3 Likes