Guest Spotlight Article: Hats Finance — For Dummies

The following article has been kindly guest contributed by Plamen Tsanev, a security researcher within the Hats Finance ecosystem, as part of the Security Researcher Content Contributor Programme.

Hats Finance — For Dummies

First of all, what in the world is Hats Finance? Isn’t it just the same old boring contest platform? Well, yes and no. You’ve probably come across some of these on your web3 journey: bug bounty is not paid, protocol dips, your high submission on a contest pays you 1$, etc, etc… Hats steps in to fix all of these problems.

The difference

Unlike other solutions, Hats fully utilizes the power of DeFi to offer all of its users the transparency that the space yearns for and promotes, through their dApp:

• For Bug Bounties: protocols hold their TVL/payout funds in an on-chain vault, completely public and available, giving proof of trust and incentivizing white hats to find bugs, without the anxiety of getting scammed out of their hard-earned rewards.

• For audit competitions: High-incentive, precalculated reward, contest that shares the same first-come-first-served mechanic as BBs, nowhere seen on other auditing solutions. Everything from High/Med to QA, Gas opt and even Formal Verification, these contests really feel like a competition for who will submit which bug first to get the maximum reward. The same way, funds are locked into a vault and can be denoted in any reward asset the protocol chooses, giving transparency on both proof of reward and finding calculations, using a point system.

For a greater deep-dive into the ins, hows and whys, you will need their structured documentation at https://docs.hats.finance

For now, we’ll continue on a slightly different angle:

Using the Hats dApp

This is a question I’ve gotten asked a lot. Firstly, the most important prerequisite — a crypto wallet! You need a payout address and you will be interacting with a dApp so obviously you will need a wallet, Metamask being my go-to choice since it has widest support throughout auditing platforms.\

Then, obviously, we cannot interact with the dApp without creating our public profile so connect your wallet (top right corner).

Your UI will shift and you will be able to access your profile by clicking on the 1st new button

(omg it's me)

Then comes the first part — customizing it! Hats runs you through every step and even removes the hassle of uploading a profile picture if your GitHub profile already has one.

And now the bread and butter — how do you participate in a public contest?

Firstly you will navigate to the “Audit competitions” tab on the left-side navigation and choose an ongoing contest

By expanding the details, you get all of the information you need to begin auditing and finding bugs: reward calculations tab, scope tab, deposits tab, and the most interesting of all: submissions tab

We will focus on the 2nd and 4th ones, since they are the ones you need.

• The scope section is straight-forward, it includes all of the in-scope files, a link to the contest repo, containing the README.md file with severity criteria, and all of the needed test commands to set up your environment for writing those nasty PoCs
• The submissions section shows all of the submissions, so you can read other people’s findings in real time. Remember, only the first valid one gets the reward, so you cannot copy paste someone else’s submission and get rewarded. This, at first glance, non-important feature is actually incredible at boosting your protocol understanding. By reading through other people’s findings, you can get a better and faster grasp of the system you are auditing. Did I also mention that the sponsors can begin validating findings right away, instead of waiting for the contest to finish?

With these contest details in hand, you begin auditing and find a bug, so what now? You report it! The “Submit vulnerability” button is loud and clear.

The dApp walks you through the entire process of agreeing to the sponsor’s terms, providing your details for communication and writing the report itself.

But wait, why do you have to pay to submit?

As I said, Hats fully utilizes DeFi. Every bug submission is done via an on-chain transaction, so you are required to pay the gas price for submitting bugs. This also acts as an incentive mechanism to prevent spam, since Hats does not penalize invalid submissions, but costing money to submit will make you think twice before spamming 100 invalids.

But aren’t transactions on Ethereum expensive? Not to worry!

The team is slowly shifting competitions to the Arbitrum chain, where gas prices (at the time of writing) are at most 0.01–0.02$ during network congestion and 0.00$ when the network is not loaded!

If you’ve followed well, you could have just earned your first reward on Hats, so congratulations. Inside the contest github repo, you can always add additional comments, PoCs or details to your submission,there’s no waiting for any escalation periods, which makes the process more interactive and non-restraining.

Conclusions

Due to its exotic nature and the fact it is still relatively new, Hats has a long way to go and many routes it can take to improve and engage with its community. But its fundamentals are stable and it definitely stands out as the most interactive of all platforms for me. This is where my journey in web3 skyrocketed and will continue to do so and I cannot wait to see in which direction the team chooses to expand the platform.

If you’ve found this guide useful, hopefully I will see you at the next contest.

Good luck, you’ll have to be fast to beat my submissions ;d.

Follow me on my security researcher journey:

Twitter: https://twitter.com/p_tsanev

Github: https://github.com/PlamenTSV