The Advent of DeSec in Web3

HatsFinance
5 min readJul 22, 2024

--

As the blockchain evolves, traditional security models are increasingly under scrutiny for their shortfalls. Centralized control, long queues that request protocols to wait for weeks to receive quotes from multiple firms, and opaque audit processes are just a few of the limitations. Even though traditional firms have years of established credibility, big exploits have lately tarnished their reputation and brought the public to question their reports, which often offer limited insight into the process. On top of that, projects have to face constraints with auditor availability and schedule, being also charged fixed fees regardless of outcomes.

The sum of all these elements brought many protocols to shift their attention toward the DeSec space. Traditional models use a select team of auditors, potentially limiting perspectives, where wide networks of diverse experts compete together in the identification of vulnerabilities, with multiple openly accessible audits that timely provide projects with a superior thoroughness and diversity of insights.

At Hats Finance, we are dedicated to making DeSec the new standard for Web3 Security, by promoting performance over reputation.

Potential market for Web3 security

As of July 2024, the TVL in the DeFi space has surpassed $100 billion. According to a report by the security dApp De.Fi, scams, rug pulls, and hacks cost users nearly $2 billion in 2023 alone. If DeFi grows fivefold in the next five years — Roland Berger forecasts the total tokenized assets to reach $10 trillion by 2030 — the demand for security services in this rapidly expanding market is set to soar dramatically.

Undoubtedly, the security landscape is highly competitive with several main categories of competitors, with some general pain points to be addressed.

Traditional audit companies

Traditional Web3 auditing firms have gained their reputation by auditing high-profile industry giants, creating a positive feedback loop that enhanced their standing. Names like TrailOfBits, PeckShield, and Certik are among the most recognizable in the Web3 space. However, significant hacks and exploits have tarnished their reputations over the years. Despite this, their fees range from tens to hundreds of thousands of dollars, and securing their services can take a considerable amount of time due to scheduling constraints. The auditing process remains opaque, showing only a final approval with no transparency about the individuals involved: the accuracy of reports can vary significantly depending on the auditor’s experience and thoroughness.

Audit competition platforms

Using an audit competition platform offers a complementary approach to security checks by leveraging the skills of multiple participants rather than relying on a single auditor, prioritizing competition over reputation. By creating an incentivization model with reward pools for each identified security breach, based on its severity, projects can benefit from a faster and more cost-efficient auditing process. However, the success of these platforms heavily depends on the number and quality of participants, whether vetted or not, which significantly impacts the audit results. Audit competitions have gained popularity among DeSec protocols, with platforms like Codehawk and Sherlock being among the first to demonstrate the effectiveness of this business model.

Bug bounty management platforms

For projects already live, having an open channel to report security breaches is crucial, especially when users’ funds are at risk. This is where bug bounty management platforms like ImmuneFi or HackenProof come into play. These platforms connect projects with white hats, often through a permissionless model similar to audit competitions, enabling projects to benefit from an ongoing monitoring process that leverages the collective expertise of multiple participants.

Key Players in the DeSec Space

Sherlock

Sherlock is an Ethereum-based audit marketplace and smart contract coverage protocol. It connects Web3 projects with security experts, called Watsons, and offers coverage against potential exploits. Projects pay a fixed fee for audits, and rewards for vulnerabilities are distributed based on findings. While Sherlock does not offer bug bounties, it provides coverage for losses from vulnerabilities.

Cantina

Cantina is a Web3 security marketplace where organizations can book security services with their preferred team, price, and timeframe, all managed by the Cantina team for a 20% fee. Projects can select from vetted freelance security researchers with public track records or established firms (Guilds) like Spearbit, Decurity, Graypoint, and Perimeter. They can also hold audit competitions or run bug bounty programs, with researchers submitting findings and communicating with protocol teams.

Code4rena

On Code4rena (C4), auditors compete in audit competitions and bug bounties for prize pools. Projects can book solo audits, restrict participation to top performers, or opt for private audits. Security researchers submit reports reviewed by Lookouts, who filter and prioritize findings. Judges assess and finalize reports, and C4 staff distribute awards. For bug bounties, C4 offers continuous coverage and advisory. C4 also hosts Bot Races, where bots compete to produce the best audit report using AI and automation.

Immunefi

Immunefi hosts and manages bug bounties, where whitehats can participate in different programs based on their expertise, review code, and submit vulnerabilities. Its in-house team manages programs, filters reports, and escalates valid findings. Protocols can request tailored researcher selection based on product type, blockchain ecosystem, tech stack, and more... Real-time critical reports enable immediate vulnerability mitigation without waiting for lengthy audits.

We are Hats Finance

Since our foundation in 2021, at Hats Finance we are offering a unique scalable security solution with our decentralized protocol. Supported by strong backers like Lemniscap, IOSG, and Collider Ventures, and driven by a seasoned team with expertise in Web3 security, we foster a marketplace that supports non-custodial bug bounties and audit competitions. By incentivizing security through a permissionless model, eliminating pre-scheduling, and leveraging a pay-for-results approach, we address the financial and operational inefficiencies prevalent in traditional models.

At Hats, we firmly believe our positioning is unique, even in a DeSec competitive arena already populated by notable players. We want to transparently showcase the position of our incumbents, illustrating how we stand out in the landscape of decentralized security.

Our unique proposition

Even though our mission is common, as described above, incumbents in the DeSec space employ a variety of models, each with its own merits.

However, at Hats Finance, we believe there is still ample room for innovation and addressing existing shortcomings. That’s why we’ve adopted an approach prioritizing flexibility and cost-efficiency. Our permissionless model enhances the diversity and effectiveness of security measures, promotes transparency, and significantly increases the detection rate of vulnerabilities through collaborative competitions.

Our unique pay-for-results model ensures that costs are only incurred when vulnerabilities are found, maximizing cost-efficiency for projects. Hats Finance represents a paradigm shift in delivering security services in Web3, offering a compelling alternative to traditional models and elevating effectiveness and reliability to unprecedented levels.

DeSec is the future, and we are proud to be leading the way.

Stay connected with our community for the latest updates and join our channels for any questions!

  • 🎮 Discord — Join and introduce yourself!
  • 🐦 Twitter — Follow for updates and news!
  • ✉️ Telegram — Follow for updates and discussion!

--

--

HatsFinance

Hats.Finance a decentralized smart bug bounty marketplace. Permissionless, scalable, and open bug bounty protocol that allows anyone to provide liquidity.