We are expanding our ongoing commitment to the bug bounty program announced earlier this year by creating a new vault on the Hats.finance platform and pledging 20,000 DOLA to bootstrap initial rewards.
Background
Following research and introductions to several qualified auditing firms and bug bounty platforms, the Risk Working Group previously identified Hats.finance as a top choice to establish a formal working relationship with. As detailed in governance proposal #69, “After the termination of the Code4rena bug bounty contest, Inverse will launch a bug bounty vault on the Hats.finance platform and fund it with the remaining allowance funds. This vault will be grown over time as part of our ongoing commitment to safety.”
Hats.finance is a proactive bounty protocol for white hat hackers and auditors, where projects, community members, and stakeholders all incentivize protocol security and responsible disclosure. In committing to Hats.finance as host platform for our bug bounty program, Inverse will join a range of other protocols with active bug bounty vaults, namely Temple, Liquity, Paladin, Paraswap, and DxDAO. By incentivizing an open hacking market that scales with the success of the projects and significantly rewards successful hackers — Hats strives to turn black and gray hat hackers into white hat hackers.
Motivation
Inverse Finance’s RWG has spent much of Q3 and Q4 improving the overall security posture of the DAO. This is an ongoing effort, and therefore any internal quality assurance processes should by default include a way to leverage the skills/resources from contributors who specialize in looking for security-related bugs. One crypto industry norm is to offer incentives to appeal to whitehat code testers in order to encourage them to test Inverse’s smart contracts and other code for security issues and other vulnerabilities. These white-hats are independent bounty hunters who study our code and business from an adversarial perspective and can make use of their own tools and techniques to identify vulnerabilities in the lookout for a reward or a bounty.
Identifying security-related bugs in a collaborative/friendly manner with white hat researchers highlights Inverse’s commitment to both security, transparency and accountability. Committing to an ongoing bug bounty program is an integral part to our renewed smart contract review process, and will inspire confidence in our DAO community as we continue building in DeFi.
How it works
Hats.finance allows projects, protocols, and DAOs to create Hats security vaults to incentivize responsible disclosure for their smart contracts. Each project will have a committee, which is responsible for triaging security reports, approve claims within 7 days, and be responsive via its off-chain communication channel with the hacker.
In the case of a detected exploit, the hacker will disclose the vulnerability to the Hats committee, with an on-chain hash proof of the disclosure.
The committee, composed of researchers, project core developers, and white hat hackers, will verify or reject the vulnerability and a subsequent release of funds to the hacker, according to the token allocation specified in the vault.
Each vault has its own committee appointed by the project community.
At launch, Inverse’s vault will benefit from a committee composed of core contributors of the DAO including Edo, head of Risk, 0xMT, lead developer, Nour who is the project’s founder, Cryptoharry, head of Treasury, and Karm, RWG contributor. At a later time, Inverse intends to add additional committee members, ideally close friends of the DAO with a strong solidity background and a passion for DeFi.