Innovative auditing in Web3: the rise of risk sharing

Sayfer, Ginger Security, Team Omega, and DcentraLab to redefine risk sharing in the crypto auditing space

HatsFinance
5 min readMar 20, 2023

--

TLDR:

  • An Incentive-based protocol for on-chain bug bounties allows projects, community members, and stakeholders, like audit firms, to contribute liquidity and encourage responsible disclosure.
  • After completing an audit, audit firms often move on to the next project, most of the time, don’t stay engaged with the previous client.
  • Now, audit firms can participate by agreeing to take a percentage of the service fee paid by the project and deposit it into the project’s on-chain bug bounty for a set period of time.
  • If a security researcher finds a vulnerability during this period, the audit firm shares the risk by contributing a corresponding percentage of the reward for the disclosed vulnerability that has been missed during the audit.
  • The Hats protocol enables seamless and secure participation in bug bounties through its non-custodial and permissionless deposit and withdrawal system, allowing anyone to participate without the need to trust any custodian or the need for approvals from any party.
  • Choose the audit firm that has already committed to sharing the risk with you!

In the world of Web3, it is increasingly important for projects to ensure the security and integrity of their systems. One way to do this is through code audits, which provide independent and objective reviews of a project’s codebase and smart contracts. However, an audit is a snapshot of the current situation, not an ongoing review. After completing an audit, audit firms often move on to the next project and, most of the time, don’t stay engaged with the previous client.

Hats Finance recognizes the value of skin in the game for both projects and audit firms. That’s why we offer a protocol for on-chain bug bounties, where projects, community members, and stakeholders can add liquidity to incentivize responsible disclosure and reward hackers. By participating in this protocol, audit firms can share some of the risks that a project is exposed to long-term, ultimately increasing the trust and accountability between projects and auditing firms, and by that, increasing the users' trust in smart contracts security.

Audit firms put their reputation on the line every time they release an audit report, often risking trust and revenue when a project they reviewed is exploited. Using the Hats.Finance protocol, audit firms can strengthen the relationship with their customers by agreeing to deposit a percentage of the service fee (paid by the project) into the project’s bug bounty for a set period of time. If a security researcher discovers a vulnerability during this period, the audit firm will share the cost by contributing a corresponding percentage to the reward paid out for responsible disclosure. This incentivizes the audit firm to stay engaged with the project, ultimately increasing trust in the audit firm.

Partner with us to share the risk and rewards of Web3 security:

  • Join Hats Finance to access our incentive-based protocol for non-custodial and permissionless on-chain bug bounties.
  • As an audit firm, take on a share of the risk of your client's security by agreeing to contribute a percentage of your service fee to the project’s bug bounty for a set period of time.
  • Incentivizes ongoing engagement with the project and helps ensure its security
  • Be a part of the future of Web3 by participating in this opportunity.

Creating a more secure and trustworthy ecosystem through shared risk and incentives

At Hats Finance, we believe skin in the game is important in creating a more secure environment for Web3 projects. That’s why we have been discussing this concept with audit firms and offering them the opportunity to participate in our on-chain bug bounty platform. We are excited to find that many of these firms share our values and are willing to take on a share of the smart contract risk of the projects they audit.

We have also received positive feedback from projects that have already undergone audits or are waiting for audits, who agree on the importance of keeping audit firms engaged in the ecosystem and transparently sharing the risk.

As the first and only on-chain bug bounty platform, we believe we have found the mechanism to fill this gap and create the right incentives for all parties involved.

This is the future of audits — projects can choose audit firms who are willing to take on a share of the risk and work together to ensure the security and success of the project. Engaged community members, who are willing to share not only the successes but also the risks of the project by adding liquidity to the bug bounty, will have greater trust in the audit report and the project as a whole.

Web3 Auditing: smaller firms leading the way in innovative risk sharing

In the crowded world of crypto auditing, smaller firms are making a name for themselves by offering a more holistic approach to their customers. By embracing non-custodial, permissionless risk sharing through protocols that act as security infrastructure, these firms are able to differentiate themselves and attract a new base of customers who value the principles of ‘skin in the game’ and aligned incentives in security practices. We are excited to showcase the pioneering audit firms leading the change in this innovative approach to risk management.

Sayfer:

Nir D. CEO of Sayfer

“Sayfer believes that traditional security measures are no longer sufficient to secure blockchain projects. That is why, in addition to our collaboration with Hats.Finance, a decentralized bug bounty protocol, we have implemented additional layers of security to ensure our clients’ complete security. By staking 40% of the audit price as collateral for a decentralized bug bounty using Hats.Finance protocol, we’re not only providing an additional layer of protection but also increasing trust in the security of our client’s projects.”

Ginger Labs :

Gershon, CEO of Ginger Security:

“The Ginger Security motto — don’t trust, incentivize. How much you pay for an audit with us depends on how many vulnerabilities/issues we find in your code. If another auditor finds an issue we missed, our revenue is slashed and goes to them instead. This mechanism is built using Hats Finance vaults. Contact us to hear more about our philosophy of protecting your dApp.”

Team Omega:

Jelle, a member of Team Omega

“We at Team Omega have been doing Solidity Audits for several years now. We offer customized solutions when our clients need them. We believe that for many projects, staking a part of our fees in a vault on Hats Finance can be a good way of aligning our incentives with those of our clients, in addition to providing an additional layer of security to the deployed contracts themselves.”

DcentraLab:

Erez Ben-Kiki, CEO

“At DcentraLab, we have developed multiple successful DeFi and blockchain products since our foundation in 2017. We’ve transformed our vast experience in developing smart contracts into auditing them as DcentraLab Diligence. We believe the best way to secure a Web3 project’s code is to audit it extensively and deploy an attractive bug bounty with a protocol like Hats.finance, that will allow us, Dcentralab, to be a part of the project security ecosystem indefinitely. Its time for auditing firms to put their money where their mouth is!”

We welcome audit firms that share our values and believe in the importance of skin in the game for the future safety of projects. If you’re an audit firm interested in participating in our protocol, please reach out to us to add you to the ongoing list of audit firms -> https://hats.finance/audit-firms

--

--

HatsFinance
HatsFinance

Written by HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.

No responses yet