Hats.Finance - Decentralized Cybersecurity Incentive Network Proposal

Kendrea · May 10, 2021, 7:43pm

The Community Fund is pleased to begin it’s consideration for the community granting process for Hats.Finance

Hats is a decentralized cybersecurity incentive network. Governed by its community stakeholders - Hackers, Projects, and Token holders — to incentivize protocol security and responsible disclosure.

NXM will be one of the first Hat incentive vaults providing active protection to Nexus Mutual. This incentivizes vulnerability disclosure for NXM smart contracts while farming rewards in the form of hats tokens.

We are creating an incentive mechanism, complimentary to Nexus Mutual, that utilizes the development culture of Ethereum to help secure it.

Hat.Finance would require the following as support from the Nexus team

-Assign a committee to look through disclosure reports in addition we will be happy to get:

Deposit NXM in the hats NXM pool
Propose a boost in NXM tokens for NXM covered pool bounties
Marketing and communication help

Hats V1 is planned to be released by the end of May.

We don’t need a budget just for NXM to participate in the protocol

Impact matrix

All proposals will be considered based on their potential impact on the mutual.

Awareness/education Projects that seek to grow awareness of Nexus in the wider community and to help members understand how the mutual works. Examples could include writing docs, newsletters, producing videos, memes, NFTs.
Distribution/sales Projects that focus on b2b partnerships or increase distribution of cover at the source of the primary purchase (ie, on DeFi apps). Examples could include building a distributor on top of Nexus, integrations with other projects, or designing new products.
Technical improvements/capability Projects that seek to expand functionality of the mutual or development of new products. Examples could include contributing to open source code, designing user interfaces, building a reinsurance layer or constructing bundled yield bearing and protected products

Once a proposal has been up for discussion on here for 7 days it will be closed and we will then translate it to the snapshot for voting. After the snapshot has concluded and if it has produced a favorable outcome, we will distribute the funds.

Details about the Community Fund can be found on this page of our Docs

HeyChristopher · May 11, 2021, 10:31am

I like this proposal, but should we maybe evaluate competing projects such as CodeArena and Immunefi as well?

Would we be forfeiting working with these communities in the future if we commit to Hats?

It would be best if we could partner with all three of them somehow and have their risk evaluations funnel back into Nexus.

hatter · May 11, 2021, 8:12pm

Great question @HeyChristopher . I would like to stress that there is no exclusive commitment of Nexus to Hats protocol here. In order to participate in other projects Nexus just have to make sure it has an article in their terms and condition of reward to not reward the same exploit or hack twice.

mate · May 12, 2021, 5:18am

I don’t quite get the idea yet; where do the incentives come from? What’s the difference to Armor.fi?

hatter · May 12, 2021, 7:33am

Armor.fi is an insurance tool. Hats doesn’t provide coverage in case a protocol got hacked or exploited. Hats is an incentive layer for responsible disclosure and white hat hacker which should prevent hacks and exploits of the protocols that participate in it.

BraveNewDeFi · May 12, 2021, 11:00pm

Can you describe in a little more detail the benefits to mutual members and the benefits to white hats using this system? I read through your Medium post, but more detail would help me understand the cost versus benefit. While this proposal doesn’t require a budget, it does require a deposit of NXM into one of your vaults.

What I’d like to know:

Committee

How many members of the Core Team/Community would be required to serve on a committee?

Boost in NXM tokens

Would this boost be initiated by the mutual? Or is the boost initiated by Hats to launch the vault?

Marketing and Communication

Can you share the exact way Hats Finance can assist the mutual in Marketing/Communication efforts?
How are vulnerabilities communicated to the Hats team and to the proposed committee?

White hats

Do you have an established white hat community that plans to participate in Hats Finance at launch? Or will Hats Finance be bootstrapping a community through initial high-APY incentives?

If we were to follow the model Nexus uses with ImmuneFi, we would allocate roughly ~$100,000-$150,000 USD in NXM to the Hats vault (~641 NXM to 962 NXM at today’s price). The top payout is $50,000 USD, but we’d need to have more capital to cover smaller events without draining the vault if disclosures take place.

For other members, here is some context: Nexus Mutual currently has a bug bounty managed by ImmuneFi with a top payout of $50,000 USD for critical vulnerabilities. A partnership with Hats.Finance wouldn’t infringe on the mutual’s relationship with ImmuneFi; it would simply add another venue to attract white hats and it would be another opportunity to keep the Nexus smart contract system safe for members. To contrast from the Dedaub proposal, this proposal would get more eyes on Nexus Mutual’s smart contract system, while Dedaub would primarily focus on the smart contract systems of the mutual’s listed protocols.

Hats.Finance is one way to implement the advice Delphi Digital provided after the Alpha Homora v2 exploit in February.

Appreciate you taking the time to offer a partnership proposal with the Nexus community. Thank you for your answers in advance

hatter · May 13, 2021, 7:22am

Thanks you for the detailed questions. I tried to answer all the questions inline in bold.

BraveNewDeFi:

Can you describe in a little more detail the benefits to mutual members and the benefits to white hats using this system? I read through your Medium post, but more detail would help me understand the cost versus benefit. While this proposal doesn’t require a budget, it does require a deposit of NXM into one of your vaults.

What I’d like to know:

Committee

How many members of the Core Team/Community would be required to serve on a committee?
I think 5 committee members should suffice (using a 3 out of 5 multisig wallet). They should be trusted Nexus mutual community members as the disclosures may contain sensitive information.

Boost in NXM tokens

Would this boost be initiated by the mutual? Or is the boost initiated by Hats to launch the vault?

It will be mutual! ()
The current Hats smart contract Hats don’t have a boost feature of other tokens. Hats will boost with Hats token incentive, and Nexus Mutual with NXM.

Marketing and Communication

Can you share the exact way Hats Finance can assist the mutual in Marketing/Communication efforts?
This one is also going to be mutual! Nexus Mutual could help onboard covered projects and protocols into Hats vaults and help form their committees, on the other hand protocols in Hats vaulrs will be incentivized to use Nexus Mutual (tbd)

How are vulnerabilities communicated to the Hats team and to the proposed committee?
The only party exposed to the vulnerabilities will be the Nexus Mutual committee. the committee has a secure off-chain encrypted channel with the reporter of the exploit

White hats

Do you have an established white hat community that plans to participate in Hats Finance at launch? Or will Hats Finance be bootstrapping a community through initial high-APY incentives?
We are in touch with both audit firms, individuals auditors, and several prominent white hat hackers in the community. The incentives for them to participate are financial and NFT rewards through the Hats mechanism. The long term goal is to also attract gray, and black hat hackers as the rewards will reach sizeable amounts.

If we were to follow the model Nexus uses with ImmuneFi, we would allocate roughly ~$100,000-$150,000 USD in NXM to the Hats vault (~641 NXM to 962 NXM at today’s price). The top payout is $50,000 USD, but we’d need to have more capital to cover smaller events without draining the vault if disclosures take place.
The committee sets severities as precent of vault value, it has also the power to reset the severities if the vault accumulate a lot of funds.
I don’t know what is the attack surface of Nexus mutual smart contracts is but we think that prizes for critical vulnerabilities should be ~$500k-$2m in order to attract the right attention. The beauty in hats, is that not only Nexus Mutual places funds for the bounty, the general Nexus Mutual community also joins and any NXM holder can actively protect the funds.

For other members, here is some context: Nexus Mutual currently has a bug bounty managed by ImmuneFi with a top payout of [$50,000 USD for critical vulnerabilities]. A partnership with Hats.Finance wouldn’t infringe on the mutual’s relationship with ImmuneFi; it would simply add another venue to attract white hats and it would be another opportunity to keep the Nexus smart contract system safe for members. To contrast from the Dedaub proposal, this proposal would get more eyes on Nexus Mutual’s smart contract system, while Dedaub would primarily focus on the smart contract systems of the mutual’s listed protocols.

Appreciate you taking the time to offer a partnership proposal with the Nexus community. Thank you for your answers in advance

Kendrea · May 14, 2021, 3:33pm

Hello Everyone! This has been an amazing thread with lots of great questions, feedback and responses. Just a reminder that this forum will close on Monday, May 17th. If you have any lingering questions, now is the time to ask and get clarification before we close it out for vote! Once we have closed it out, there can be no change to the proposal once it goes to Snapshot. Thank you to our community members and to Hats.Finance for this discourse.

Kendrea · May 17, 2021, 6:30pm