Complete Audit Cycle: Bridging Security Research and Secure Development

Complete Audit Cycle includes a new feature that’s coming soon to audit competitions at Hats Finance. Following sponsors’ and researchers’ feedback along with the security industry changes, we’ve created a new way for security researchers to contribute beyond finding vulnerabilities, advancing our mission of becoming a decentralized development platform.

With the Complete Audit Cycle, security researchers can earn additional rewards by delivering more comprehensive and ready-to-use solutions to sponsors through fixes and tests.

Enhancing Audit Value

Audit competitions will no longer be just about identifying vulnerabilities; they’re about making security research a holistic process with greater impact. Complete Audit Cycle leverages researchers’ expertise in the projects they secure by:

• Enabling add-ons like fixes and tests for vulnerability submissions
• Allowing peer review of fixes by qualified researchers
• Delivering project-standard code that’s production-ready
• Creating consistent income paths for long-term contributors
• Creating a stress-free path for Hats' consistent contributors to provide value and be rewarded.

This feature enriches the overall audit process, making it more valuable to sponsors while rewarding researchers who invest time and skill into making solutions thorough and actionable.

What’s changing?

Currently, when issues are submitted, they can be incomplete from a solution perspective due to a lack of a FIX and a TEST. While fixes aren’t mandatory (after all, finding the issue is the primary task), some researchers have the skills to propose solutions but may not have the time to include them in their initial submission.

With the Complete Audit Cycle, top contributors in the Hats Finance community will have more opportunities to earn points and rewards for enhancing their submissions or assisting others’ submissions with fixes and tests, and protocols will obtain ready-to-use fixes for the identified vulnerabilities.

How the Complete Audit Cycle Works

To be able to send fixes and tests, a researcher must be among the top 20% on the leaderboard with $5,000+ in earned rewards on Hats. Qualified researchers can:

1. Claim Fixes and Tests: Following any vulnerability submission, top contributors can claim the opportunity to provide the fix and/or test to the vulnerability or finding.

2. Submit Complete Solutions: Researchers who claim a fix/text have 12 hours to submit the complete fix and/or test. Submissions must follow the project’s code style to be consistent and good enough to be merged into the sponsor codebase.

3. Earn Rewards: For each complete fix and test, points and rewards are provided, allowing researchers to elevate their earnings while completing solutions that enhance overall security.

Be part of the 20% with $5,000+ in earned rewards of top leaderboard contributors by participating in more audit competitions to increase your competition streak and rewards.

Important clarifications

• If the fix or test is tagged as incomplete by the sponsor, or if there was a partial submission, another researcher can claim the opportunity to finalize the fix and test.
• Read all requirements and specifications here

The Point System

To incentivize comprehensive reports, the complete audit cycle will offer a tiered point structure:

• Extra Points for Fix An additional 10% of the initial report points for an accepted fix (tagged as complete by the sponsor)
• Extra Points for Test (only if the issue requires a test): An additional 5% of the initial report points for an accepted fix (tagged as complete by the sponsor)

Let’s explore an example of how the pointing system works:

In this reference, researchers receive 1 point per Low finding. That means 1 Low Fix will equal 0.1 extra points (10% of low issue points).

Important: Percentages for fixes and tests remain consistent across all competitions, but the number of points and maximum rewards vary depending on the specific vault and competition details.

In cases where a Test isn’t applicable, submitters can check the “Test not applicable” option. Points for completed Tests and fixes are pooled into the total reward for the competition, allowing participants to benefit without additional funding from project sponsors.

Disclaimer: Sponsors don’t need to add any extra budget when going for a Complete Audit Cycle; simply, the allocated budget for a competition will be split differently.

Building Secure Development

With a Complete Audit Cycle, we’re building a more comprehensive, collaborative security ecosystem that bridges vulnerability discovery with secure development. Through implementing fixes and test submissions, Hats Finance:

• Allows researchers to deliver complete fixes and tests, boosting their contributions and credibility
• Supports sponsors with a more complete and seamless audit experience, accelerating vulnerability resolution and code deployment times.
• Connects security discovery to secure implementation, creating an environment where security and development naturally converge

This system allows researchers to earn both better reputations and bigger rewards while enhancing security across the Hats community and beyond. We’re building a win-win ecosystem that brings researchers and projects together on the same mission: ensuring the highest standards of decentralized security.

Keep an eye out for the official first audit competition implementing this feature — it’s coming soon! Stay tuned as we roll out this exciting update to boost rewards and add value to every submission.

Interested in learning more about Hats Finance and our journey towards DeSec and decentralized development? Discover more here:

• Hats.finance DAO Governance: Empowering Community-Driven Growth
• Hats Finance ($HAT)- Tokenomics
• Re-Introducing Hats Finance: A Journey Towards Safety for All