Hack First, Bounty Later
Two months ago we came across an interesting and somewhat provocative Tweet.
This tweet received tons of comments from the community, some in support, and others not so much, ultimately inspiring the Hack First, Bounty Later Smart Contract. While the contract was created by the Hats Finance dev team, we aim for this contract to serve the public good without any affiliation to Hats’ bug bounties. This is to allow anyone to use it or contribute to the codebase even if they are not part of the Hats ecosystem.
Some of the struggles we often hear from the hacker community are unfair rewards, the downplay of vulnerabilities, and lack of communication with core teams. For example, if a white hat hacker finds a vulnerability in a protocol, he relies on the project for a bug bounty. However, not all projects pay out bounties. Even if there is a bounty program in place, it requires the hacker to disclose the vulnerability before the severity (and hence the amount) of the bounty is determined. Hacked projects have strong incentives to downplay the severity of the vulnerability — both to save face and to pay out as little as possible. Once the vulnerability is submitted, the hacker has no negotiation power.
This contract aims to begin the normalization of public discourse and community collaboration, while providing hackers with a negotiating ground to communicate with projects. This contract and its future iterations aim to encourage collaboration and normalize non-persecution of hackers that use this approach.
This repository contains a simple contract that implements such an ad hoc bounty program. It implements the “Hack First, Bounty Later” idea in a naive but straightforward way. With the contracts in this repository we provide a way for the community to “completely normalize and accept” the Hack First model by offering a concrete contract that can help white hat hackers get a fair bounty for their work.
While this idea can be controversial for some, hackers’ motivations are diverse and we believe that “HackFirstBountyLater” might suit a subset of them. We believe that although some black hats will continue to cause harm, some can be motivated to do the right thing with the right incentives in place. Although we understand that for some projects 10% can mean an enormous amount of funds, it can reduce community fear of losing 100% of funds. This contract is one tactic geared towards our larger goal of developing tools that serve the community and make the ecosystem safer and trustworthy.
Learn more about the contract functionality and how to use it by visiting the Hats Github.
Open questions
- How does the smart contract take into account protocol loss, which is beyond the amount that was extracted?
- Why can’t the hacker just deposit the reward amount that he thinks he is eligible for?
- Should the bounty percentage be correlated to the amount that was extracted?
We encourage you to create a pull request on Github if you have an idea on how to improve this contract. We also invite legal professionals who are interested in normalizing this kind of initiative to reach out and provide their insight.
