This is a proposal to move forward with the Nexus Mutual community <> Hats collaboration, the second step after the passing of consideration of collaboration proposal.
We believe the Hats solution is a direct continuation of the Bug bounty services discussed and proposed by @BravenewDefi back in February.
The Proposal:
Nexus mutual community sets up a committee and deposits NXM into the Nexus Mutual Vault in Hats.
Set up a committee on Hats vault - Choose trusted members of the dev team that could triage the vulnerabilities that will be sent by the hackers / auditors through the encrypted offline communication channel. This team will have visibility to vulnerabilities of the protocol and should be chosen carefully by the mutual. Availability of that team should also be taken into account as vulnerabilities that will be reported will have to be triaged in a timely manner.
Deposit of 6250 NXM (roughly $500,000). We believe this is a sufficient sum to attract developers, auditors, and hackers to re the NXM smart contracts
*Bear in mind that this is not a grant, but a deposit that incentivizes responsible disclosure of vulnerabilities in the Nexus Mutual contracts and products. At any point the Nexus Mutual community / governance can decide to withdraw the NXM from the vault.
Nexus mutual covered protocol 25% reward boost - Nexus mutual will reward hackers/auditors of other vaults on hats that are covered by the mutual with 25% of the reward value that will be given to the hacker in NXM tokens that would not exceed $250k in value per approved disclosure. No deposit is made by the mutual upfront. The mutual will agree to do it and will consider each case on its own. Hats will display this reward boost by the mutual on its UI with a comment (“NXM will consider the boost on a per vulnerability disclosure basis and might not choose to boost every or any vulnerability”).
Hats will boost the NXM vault with an additional 25% emission rate over other protocol vaults on hats.
Once Hats PPM (Protocol Protection Mining) program is live, the NXM governance will also automatically farm Hats tokens in return for protecting the NXM protocol. This provides additional upside to nexus mutual and it’s community members who participate in the protection mining.
Future angles of collaboration
Additional rewards to nexus mutual participants on Hats PPM (Protocol Protection Mining) in the form of NXM tokens. ~3,000 NXM tokens over the course of three months.
Automatic buying of nexus mutual insurance from, and for Hat vaults for
Hats finance will prioritize the onboarding of protocols that are covered by the mutual.
Hats contracts has been audited by Zokyo and two individual auditors with no major findings while all the issues were fixed to the satisfaction of the auditors. The funds in the vault and their allocation to hackers/auditors is controlled by the Nexus Mutual committee alone.
Support this partnership, as it protects Nexus members with funds deposited within the mutual and it protects our capital pool from code vulnerabilities. This could be a great value add to listed protocols, as well.
A few questions:
Has there been an update with respect to the launch of Hats.Finance?
Will Nexus be the primary vault available at launch or will other protocols be included when Hats Finance launches?
Are members able to review the audits for Hats Finance currently?
This is a great security solution but having these questions answered would enable me and others to make an informed decision before participating in a Snapshot vote.
Thank you @BraveNewDeFi for the detailed questions. My name is Ofir; I’m the onboarding and community manager of Hats.Finance.
I will try to answer your questions.
1. Has there been an update with respect to the launch of Hats.Finance?
An official launch date will be given soon. We will be ready to launch from next week.
2. Will Nexus be the primary vault available at launch or will other protocols be included when Hats Finance launches?
We have just started the onboarding phase; we have a list of projects on various onboarding stages. Right now, we have 2 projects onboard. Hopefully, we will have several more on the official launch day.
3. Are members able to review the audits for Hats Finance currently? - Please see [Zokyo audit](Hats Finance-final audit report.pdf - Google Drive). - Other 2 audits have been done internally and all issues have been fixed. - In addition Hats.finance will deposit 1% of Hats token in circulation in hats vault -as a bounty program.
We appreciate your interest and attention to detail.
I want to provide some comments here that I think mutual members should consider as part of this proposal.
More broadly than this particular proposal there are two main goals:
What are the best ways to secure the Nexus Mutual protocol from hacks?
What are the best ways to reduce claim payments on protocols we cover?
Nexus Mutual Security
We already have a bug bounty program funded by the Foundation. It is at a lower level than what is proposed here. So the $500k worth of NXM would be in addition to what currently exists.
This leads to two main questions:
Do we want to increase bug bounties on Nexus Mutual via the community fund?
If so, should we simply increase the existing bug bounty rather than run two separate programs, or is there wider strategic value in the Hats relationship?
This second point is likely the key to this proposal.
Reduce Claim Payments
Strategically the mutual benefits from services that reduce potential claim payments, this is where the Hats relationship is potentially valuable.
This value hinges on the wider adoption of Hats within the crypto community. If only a few other projects adopt it there isn’t much additional value for Nexus. On the other hand if there is wide adoption then there is a material benefit.
It is worth bringing up Immunifi here, mainly because they have quite high adoption levels with well over 100 projects listed and a wide coverage on nearly all protocols we cover. So projects would need to list bounty programs on both Immunifi and Hats, or switch to Hats, for Nexus to benefit. Immunefi
The key benefit of Hats is the built in reward boost aspect that Nexus Mutual could take advantage of, rather than simply increasing the bug bounty materially. If we believe there is value here, then this is the main reason to be positive on the Hats proposal.
$500k worth of NXM is more than 2% of the community fund and too much to allocate for a bug bounty imo. The community fund has to last many years and I want to avoid doing another token mint since that’s a slippery slope.
Thanks for the important questions you raised here. we want to share our thoughts regarding those topics:
As security auditors and seasoned developers we believe there isn’t such a thing as too much security. We think Ethereum dapps should include both our solution and Immunifiy’s, and frankly any other solution that will be out there that can ensure the safety of the protocol and their users’ funds.
The advantage of a bug bounty program is it doesn’t cost anything unless there is a critical disclosure that would have been a lot more expensive if it wasn’t for the program in the first place.
Our goal is to build a decentralized and scalable bounty network where any project, big or small, can place a bounty with it’s own tokens. As the project grows in success and value so will the bounties it offers. We also allow and encourage the community of said project to participate in it’s protection.
A central decentralized () ecosystem like this will surely attract those who can offer their services as white hat hackers, auditors, and security experts, Especially if you recognize and reward them for their contributions with assets like NFTs from top creators.
Additionally, the goal of the hats Protocol Protection Mining (PPM), which will be live soon after the launch, will create long term incentives for those who care about the security of dapps in the ecosystem to participate, contribute, and help grow this open tool.
We understand this might be a big amount and it can be decreased, we also originally proposed an incremental funding schedule, and not everything in one go. We could do a monthly deposit of $125k over 4 months.
This amount can be withdrawn back to the community fund at any time , this is not a grant or funding request, but a bounty to protect the contracts.
Bear in mind that funds will be released from the vault only due to a vulnerability disclosure. The upside from fixing an issues is drastically more valuable than the financial face value of the NXM tokens that are going to be deposited.
) ecosystem like this will surely attract those who can offer their services as white hat hackers, auditors, and security experts, Especially if you recognize and reward them for their contributions with assets like NFTs from top creators.