Fav_Truffe (BD of Hats Finance, Twitter)
This is a proposal for Pool Together to conduct an audit competition for its V5 smart contracts.
Background and Motivation
Hats audit competitions are revolutionizing the world of Web3 security, offering a dynamic, cost-effective, and time-efficient solution for smart contract auditing. By transforming the traditional auditing approach, they ensure enhanced security through a community-driven process. With audit competitions, you retain full control over your budget, attract top auditing talent, and gain valuable insights from the Web3 community, all while preparing your project for a robust and secure launch.
Hats audit competitions work on a simple yet powerful model — rewarding results, not efforts. You, as a project owner, allocate budgets according to the severity level of potential vulnerabilities. The budget is retained if no flaws are found. It’s a model that ensures you pay only for value added to your project, giving you confidence in your investment.
These competitions typically draw over 300 skilled auditors who partake in a race against time, diligently hunting for bugs to ensure your project’s safety. The model operates on a first-come, first-served basis, thus encouraging quick and quality submissions. Each successful auditor is rewarded for their findings, fostering a competitive environment that brings out the best in auditors.
In addition, the evaluation process is designed for efficiency. With rewards given to the first submitter, duplicate submissions are avoided. This not only streamlines the process but also saves valuable time.
Hats audit competition mechanism is unique and no one in the security ecosystem offers a better approach, by time and budget, than Hats audit competition product.
Hats Finance started to offer the audit competition product to its partners in February and many audit competitions have been instrumental in demonstrating the efficiency of our product since then. See the table below for reference:
|Project||Audited by||Total Bounty ($)||Paid ($)||Findings|
|VMEX Finance||yAcademy||67.5k||45k||2 high 9 low 2 gas saving|
|Raft Finance||Trail of Bits||80k||64k||3 high 4 medium 11 low 1 gas saving|
|Gravita Protocol||Solidity & Omniscia||105k||30k||3 medium 11 low|
|Lodestar Finance||Solidity||30k||14.1k||18 medium 2 gas saving|
|Fuji Finance||NA||30k||30k||3 high 6 medium 21 low 2 gas saving|
|Hats Finance||Zokyo & Hexen & G0 Group||40k||31k||1 high 6 low|
Briefly; we have created a no-brainer audit competition product for projects to do before launch because there is no upfront fee or additional cost and 100% payment by results. Imagine that ProjectX conducts an audit competition with a bounty of $50k on Hats Protocol and allocates $30k for high severity, $18k for medium severity, $1k for low severity and $1k for gas optimization, respectively. Let’s explore the options:
- No valid submission: ProjectX does not do any payments and walk away with $50k
- Only low severity findings: ProjectX only pays $1k, allocated for low severity, and withdraws the remaining $49k
- Only low and medium severity findings: ProjectX pays $19k and withdraws the remaining $31k.
Projects can also put a cap on each high severity finding. For example, if a project allocates $60k for high severity and caps each high severity finding with $15k, there have to be at least 4 high severity findings to bounty out all the amount allocated for high severity ($60k).
Additional Advantages of the Audit Competition on Hats Protocol
- 100% payment by results
- Hats Finance is B2B free (Hats Finance takes 10% from the payout and therefore there is no additional cost for Pool Together)
- Pool Together can easily set up an audit competition with a 7 days notice
- Pool Together will get the vulnerability submissions in real time and can start fixing the issues in the process
- Pool Together can attract the wider Web3 security community to get involved with Pool Together V5 with the audit competition
- Pool Together will align with the essence of Web3 by deploying an on-chain audit competition
- For: Conduct a 10-14 days long audit competition on Hats protocol
- Against: Do nothing