Hats Bug Bounty Launches
We’re excited to announce we’ve partnered with Hats Finance for our Bug Bounty. You can find the Jelly Vault on https://app.hats.finance/vaults and can Deposit $JELLY to earn $HATS rewards (when available) for contributing to our security too.
An important part of building a web3 protocol is having secure, trusted smart-contracts… and trying to get atleast 5 hours sleep.
We solidity devs dread the thought of Samczsun waking us up in the night with a newly found vulnerability.
Protocol security at Jelly
Whilst there is no such thing as being risk free, there are still a number of ways to manage and reduce your protocol security risk:
Contract Testing — Security risks can be mitigated with scripted and risk based testing. At Jelly we have thousands of lines of tests, which have been built up as a testing framework. Each test runs automatically on any commits we make to the main protocol repo.
Audits — In 2017, protocol audits became popular, and as demand grew, auditing became serious business. Having spent a few of my early solidity years auditing contracts, we saw the explosion of projects, combined with a limited number of solidity devs available. Next was a flood of new auditors that came to meet market demand, and with it, a divide in quality. $100k+ for a top tier audit firm and 8 week waitlist, or $2k for a rubber stamp from a new audit firm with a one day turnaround. As for us, we prefer to go for a more robust formal verification process when the time is right.
Bug Bounties — The third tier involves a much wider audience and with it, more coverage. The adversarial nature of bug bounties provide stronger security guarantees than any rubber stamp from a one day audit. Few auditors can see novel bugs without fully groking the contracts, however a community of bounty hunters have two main drivers: Time, and competition over the bounty reward.
Every major hack was audited.
Major hacks like the Nomad bridge being drained highlight the fact that most if not all major hacks have been audited at some point. Often what is left after a hack are the futile claims of victims, hackers claiming Code is Law and a tweet storm from the audit firm. In contrast on the preventation side, where Whitehats save protocols and rockstar devs like Satya0x recently claimed a $10 million bug bounty for a disclosing a vulnerability in the Wormhole bridge.
New developments such as flashloans and MEV bots invalidate the security assumptions of once-off historical audits, and so the benefit of a long running open bounty has the right incentives for ensuring your contracts are safe over time, not just on deployment. We think that the Bug Bounties hosted on Hats.finance, secured by tokens deposited into a community vault are an excellent way to get more coverage and enhance the security of Jelly Protocol.
About Hats
Hats Finance is a community-owned and decentralized bug bounty protocol. Because security exploits affect all parties involved, Hats Finance facilitates community involvement by allowing users to provide liquidity to their favourite bounties and earn $HATS tokens once they become available. Community-owned bug bounties are transparent due to their permissionless and on-chain resolution capabilities. This adds a scalable aspect to bug bounties, in which rewards grow with the project’s success, token appreciation, and users’ trust.
Securing the Airdrop Recipe
The Jelly Airdrop contracts are a permissionless template for anyone to create their own airdrops. This contract holds the tokens to be distributed via the Airdrop and will be our first contract to be added to Hats.
Deposit in the Vault to earn Rewards
We have established the Jelly Protocol Vault with 2M JELLY for the bug bounty initially, with more able to be staked by the community.
Users who hold JELLY can put some of their JELLY at risk and deposit on Hats and earn HATS rewards (when available). By adding JELLY tokens to the Vault, you are making the Jelly Airdrop contracts more secure by offering the bounty hunters a bigger reward, and in return, you earn HATS rewards. Should a vulnerability be found, the vault payouts are determined by severity.
There is more information in this Hats article: https://hatsfinance.medium.com/hsts-finance-how-to-deposit-withdraw-claim-hats-abb59e8c94d2
Partnering further with Hats
We love working with the Hats team, and this is just the beginning. Next up they may or may not be planning an Airdrop, and we may or may not be supporting it. So it’s best to keep posted for official updates on our Twitter and Discord.
Find out more
Follow Hats on Twitter https://twitter.com/HatsFinance
Visit Hats at https://hats.finance/
Join our Discord https://discord.com/invite/MGqDkxjpM3
Follow us on Twitter https://twitter.com/jellyprotocol
Visit us at https://www.jelly.io
