RFC: Bug Bounty Vault Proposal by Hats Finance


This is a proposal for Nexus Mutual to collaborate with Hats.finance to create an on-chain, free, non-custodial, scalable and permissionless incentives pool for hackers/auditors to protect the Nexus Mutual smart contracts.


The direct losses from hacks and exploits between 2020-2022 are above $15B, and yet, the solutions currently being offered are not decentralized, permissionless, scalable, and continuous and open to everybody like Nexus Mutual is.

This proposal aims to create an incentives pool on Hats Protocol for hackers/auditors to help protect the Nexus Mutual smart contracts. The goal of the vault is to incentivize responsible vulnerability disclosure for Nexus Mutual. Liquidity can be added (with $NXS and/or yield-bearing tokens) permissionless and LPs will be rewarded with $HAT tokens once the liquidity mining program is launched.


Hats.finance is an on-chain decentralized bug bounty platform specifically designed to prevent crypto-hack incidents by offering the right incentives. Additionally, Hats.finance allows anyone to add liquidity to a smart bug bounty. Hackers can disclose vulnerabilities responsibly without KYC & be rewarded with scalable prizes & NFTs for their work.

Smart bug bounty programs are a win-win for everyone. They can be created easily with a few on-chain transactions (it takes less than 1 hour to set up a vault on Hats), and are free of charge. Hats will only charge a fee once an incident has been successfully mitigated. The protocol will retain 10% of the payout as fee from the security researcher. Scenarios of an exploit are way more costly and can cause irreversible damage. More importantly, the bounty program is transparent, decentralized, and gives power to the community of the project.

On-chain submission:

With the values of Ethereum, which are lighting our way, we decided to take a different approach to bug bounty compared to the traditional and centralized bug bounty platforms.

The submitter writes a detailed vulnerability description on Hats dApp. The submission is encrypted with the project PGP key. The user hashes the encrypted description (automatically) and sends a transaction on-chain with that Hash (only the Hash of the encrypted report is going on-chain), While sending the encrypted message to the routing bot.

The tx fee acts as a spam filter and can be set to a higher value (in the future).

The routing bot verifies that the Hash of the encrypted message was published on-chain and publishes the encrypted message to the committee group together with a link to a front-end open source tool to decrypt the messages that are stored on IPFS that is part of Hats dApp.


In case that the proposal gets accepted, Nexus Mutual is expected to:

1- Choose and set up a committee

2- Vote for DAO participation amount

Onboarding action items:

  • Choosing a committee: The committee is preferably the public multisig contract of Nexus Mutual or a multisig specifically set up to manage the bounty program.
  • The Committees responsibility:
    • Triage incoming vulnerability reports/claims from auditors/hackers (get back to the reporter within 12 hours).
    • Approve claims within a reasonable time frame (Max. of 6 days)
    • Set up repositories and contracts under review. (A list of all contracts covered by the bounty program separated by severity)


The key advantage of Hats solution compared to traditional, centralized bug bounty services:

  • Bug bounty vaults are loaded with the native or yield bearing token of each project. Reducing the free floating supply while giving the token additional utility.
  • Scalable bounty network — vault TVL increases with success / token appreciation of the project.
  • Open & Permissionless — Anyone can participate in the protection of an asset they are a stakeholder of and any hacker, anywhere in the world, can participate anonymously when disclosing exploits (no KYC needed)
  • In the future when providing liquidity (taking risk) every depositor could earn $HAT tokens.
  • Continuous — As long as tokens are locked in the vault, hackers are incentivized to disclose vulnerabilities through Hats, instead of exploiting the project.

Additional advantages of deployment of the existing Nexus Mutual bug bounty program on Hats Protocol:

  • Nexus Mutual can reach out to many more security researchers (aka white hat hackers) with a bounty on Hats protocol and each scrutiny will make Nexus Mutual safer.
  • Nexus Mutual can fund the bug bounty vault on Hats with its own native token ($NXS or yield bearing token)
  • The bounty reward for the submitter is not paid at once to reduce the price pressure on the project token.

Since Nexus Mutual DAO will be farming $HAT tokens with its bounty (after TGE), it’s a cost negative opportunity for Nexus Mutual DAO.

Key Examples

A security researcher recently found a critical severity within Premia Finance’s staking contracts and got rewarded $70k for his responsible disclosure:


In one of the recent audit competitions, the security researchers could find 3 critical severities in Raft Finance’s code in a 7 days long audit contest even if the project went under an extensive audit by one of the top-tier auditing firms in the space:

Thank you for the detailed proposal, @Fav_truffe.

Existing Bug Bounty Program

The Nexus Foundation currently manages the bug bounty program through Immunefi, and the Foundation is happy with the current program on Immunefi. The program on Immunefi doesn’t require KYC and the bug bounties are paid out in USDC.

This bug bounty program is outlined on Immunefi and in our documentation, as well.

Past Hats Finance Proposals

In 2021, Hats Finance presented a proposal to the Nexus Mutual DAO and members about starting a bug bounty program: Nexus Mutual Community <> Hats collaboration: Next Steps

This proposal was put up to a Snapshot vote and 90.4% of members who participated voted No on the proposal.

I know you also shared a proposal in April 2022, but previously, no one responded to that post on the forum.

Follow Up Questions Regarding your RFC Proposal

If this proposal were to move beyond the Request for Comment stage, it would need to request a separate bug bounty program be created using funding from the DAO treasury and the amount would need to be specified in the proposal, as well. However, I think it’s unlikely to receive support from members given the outcome of past votes on this subject.

On some of the additional advantages you point out in your proposal:

Can you provide some data on this point? I know Immunefi has a large security community with thousands of whitehats active on their platform. I’d be curious what the stats are for Hats Finance to date.

If Nexus Mutual were to provide the protocol’s native token NXM to a vault on Hats, then the vault contract and anyone who submits a bug bounty would be subject to KYC, given only members of the mutual who have gone through KYC and hold NXM. To date, bug bounty payouts through Immunefi have worked well for the Foundation.

If a yield-bearing token were provided, it would open the bounty funds up to additional smart contract risk, which I don’t believe members would be a fan of given the potential yield would only be in the realm of 3-8%.

This seems like a drawback from the existing program the Foundation runs on Immunefi, as a researcher would have to wait to get paid over time, thus misaligning incentives somewhat.

I’m glad to see more protocols offering audit competitions, but I feel as though this is out of scope for the current proposal, given you’re advocating for the creation of a bug bounty program on Hats Finance.

At this point, I’m not seeing an obvious benefit of running two bug bounty programs simultaneously.

1 Like

Hey @BraveNewDeFi! Thanks a lot for taking the time for such a detailed reflection!

I am trying to set up a well-established relationship built over the years :slight_smile:

It’s perfectly okay! I appreciate your honest opinion fren.

As an on-chain protocol, we are not tracking the activities of white hats on the protocol. Yet, feel free to check out our audit competition submissions on Hats github. Our security researcher community has been able to find critical vulnerabilities after top-tier audit firm audits like Trail of Bits, Halborn, yAcademy, etc.

You can use any stable coin to fund the vault for sure.

You can modify the payout vesting in any way you wish proper.

Appreciate the communication fren!

This topic was automatically closed after 7 days. New replies are no longer allowed.