Community-Owned Bug Bounties

Hacks have become the new norm in crypto; from Twitter jokes about getting rugged, to sad posts about people losing their most prized possessions. Last year, crypto users lost more than $10 Billion in hacks and exploits, hurting protocol credibility and leaving users with a sour taste.

Web 3 has challenged the way we think about identity, ownership, and value. But it has also changed hacker trends. In the web 2 boom, black hat hackers were interested in hacking confidential information which they could later ransom or sell in the black market. Today, hackers can access the bank of the internet through smart contracts.

The question that many ask is, how can we shift hacker mentality into doing the right thing?

We believe that in order to find a true solution in web 3, we must shift our thinking to web 3 ideals. That means encouraging others to adopt decentralized thinking and building collective solutions with decentralized tools. One effective example is community-owned bug bounties that democratize security, decentralize processes, and facilitate community access.

Community-Owned Bug Bounties As a Solution

Today, there are many security solutions for web 3, but few tackle the problem in a decentralized manner. That means that many protocols depend on a middle man to facilitate audits or security conversations with white hat hackers, often withholding information from the community until it is too late. We believe that the core team should be the first to know of vulnerability disclosure, and DAOs should have a say in the way white-hat hackers get rewarded. But in order to do it in a transparent manner, we must take a decentralized approach, in which the community can also participate in the protection of the protocol.

Hats Finance adds a collaborative approach to bug bounties by allowing protocol participants to become protectors of the chain. Community-owned bug bounties allow anyone to add liquidity to bug bounties, which contributes to the security and longevity of the crypto ecosystem. This adds a scalable aspect to bug bounties, in which rewards grow with the project’s success, token appreciation, and users’ trust. Community-owned bug bounties are transparent due to their permissioness and on-chain resolution capabilities.

Symbiotic Participation Between Users

Smart Bug Bounties have a symbiotic nature, in which all users within the protocol can benefit from responsible vulnerability disclosure, transparency, and token protection. To illustrate this, meet two possible protocol participants, John and Alice.

John — He and his two friends from college thought of an amazing idea that can help small investors earn yield like big investors. They decide to open a DAO and start pitching their idea while developing a smart contract. After a successful IDO, they decide to do an audit and deploy on Etherium and Arbitrum. The community supports them, and they start to attract more attention.

Alice- An early supporter of the project. She joined Discord, and since then she has been an active participant in calls and forums, giving ideas on how to improve the protocol. As an act of trust, she adds liquidity to the project and decides to HODL the tokens, as she believes in the project’s mission.

Both John and Alice want to increase DAO treasury, token value and secure the project’s assets. However, the security topic is not very sexy to discuss and makes them a bit worried.

Smart Bug Bounties are a great solution to their worries. Through Hats Finance, bug bounties become community-owned, allowing community members to easily learn and get involved in the protection of different protocols even if they are not developers. Community involvement also means that users can create discussions around security, and add liquidity to vaults, which can reward them with $HAT tokens. $HAT tokens give users governance power to create proposals and vote on protocol suggestions within the Hats ecosystem. learn more about Hats tokenomics here.

What creating a smart bug bounty looks like:

  • The DAO decides to allocate $500K worth of tokens into the bug bounty program.
  • Let’s assume that the community adds $1M worth of tokens.
  • Now the bug bounty TVL stands at $1.5M.
  • ​​The bug bounty project committee decides to pay 80% of the bug bounty TVL in case of a critical vulnerability (=$400K, 80% from the boost strap liquidity), and set the overall maximum payout at $950K (=Committee decision). The reward for critical bounty can be anything between the range of $400K-$950K, even if 80% from the TVL is higher than $950k. Learn more about payout mechanisms here
  • In case of successful vulnerability disclosure, all depositors will pay a percentage of their stake to the white hat hacker, which is less than the damage that could have been caused by an exploit. For example, if a critical vulnerability compromises $10M in tokens, it is fair to give the white hat hacker up to $950K, while also saving funds that could have been lost.
  • Depositors keep their rewarded $HAT tokens.
  • The risk of losing funds due to hacker payout reduces when the bug bounty TVL increases, as each depositor pays a smaller % of their deposit.
  • All protocol contributors go from the risk of losing 100% of their funds, to providing a small % that can be super effective in protocol protection.

The purpose behind community-owned bug bounties is to reduce risk and share responsibility within crypto communities. However, smart bug bounties go beyond protocol protection, as they can be a building block for the crypto ecosystem we’ve been waiting for. One in which all innovations such as DeFi partnerships, upgrades, scaling solutions and NFT rewards can exist in one web 3 security layer.

Smart bug bounty programs are a win-win for everyone. They can be easily created through a few on-chain transactions and it doesn’t cost anything unless there is a vulnerability discovered, which is costly and irreversible once it is exploited. Most importantly, it is transparent, decentralized and gives power to the project’s community that makes the project.

The Security Standard of Web 3 will be Smart Bug Bounties.

Creating decentralized bug bounties has not been done until now, and Hats Finance has been able to create what security in web 3 should look like. And the amazing thing about it is that anyone can join the effort of securing web 3 and enjoy $HAT tokens for their contribution. Through Hats Finance, communities are incentivized to do the right thing, to think long term, and gain an understanding of smart contract security even if they are not developers or hackers. Users can create security campaigns around updates and new contracts deployed in the project. Most importantly, users have the opportunity to pioneer a movement that will soon become the security standard of web 3, especially as we grow in a DAO economy, where project mechanisms are dictated by the community.

We are confident that community-owned bug bounties are the answer to many of the security problems in the centralized realm. We believe in a world where white hat hackers work together with communities, with the goal to accelerate crypto adoption. It’s time to move forward with web 3 smart bug bounties. Join us in our effort today by visiting and contributing to the Hats dApp.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.