From cointelegraph by Victoria Li

In the race to build secure decentralized ecosystems, traditional security models adapted from Web2 are proving inadequate for Web3’s unique demands. During a recent Cointelegraph AMA, Oliver Hörr, founder of Hats Finance, shared his views on how current security approaches fall short and outlined how their platform aims to offer a more efficient, transparent alternative for safeguarding decentralized projects.

The familiar security frameworks from Web2 come with hidden inefficiencies, mainly when applied to decentralized ecosystems. “Auditing firms have a lot of overhead. The person auditing the code may only see a fraction of the payment due to marketing, distribution and management costs. Bug bounty programs also increase security risks because they rely on humans to review vulnerability information. There’s always a chance that someone could misuse that information for personal gain, especially for high-value vulnerabilities,“ Hörr explained.

In response, Hats Finance, a decentralized protocol for hosting non-custodial bug bounties and audit contests, proposes a solution that eliminates intermediaries. “We connect security experts directly with those in need of audits,“ Hörr detailed. “Our peer-to-peer system uses incentives and game theory. The more money in the system, the more attractive it becomes for experts to join.“ With over 50 active programs, including projects such as Safe and Liquity, Hats Finance aims to make security more accessible and effective.

Enhancing Web3 security for developers and users

One of the standout features of Hats Finance’s approach is the dual advantage it offers both users and developers, according to Hörr: “End-users are less vulnerable to attacks, while developers gain peace of mind knowing their projects are secure, reducing the risk of hacks that could destroy their reputation. Our solution makes security more cost-effective and achievable, allowing new talent to contribute.

Another key challenge of traditional bug bounty programs is the uncertainty surrounding payments. Hackers who discover vulnerabilities often face delayed or denied compensation, especially during bearish market conditions when projects are short on funds.

Cointelegraph Accelerator participant Hats Finance offers a more ethical approach, with the key difference being onchain escrow. “The bounty is held in a smart contract that anyone can verify. If a project disputes a payout, the hacker can trigger a decentralized dispute resolution process. If hackers know they’ll be fairly compensated, they’ll be more likely to report vulnerabilities responsibly, ultimately improving the overall security of the ecosystem.”

Community-driven bug bounties

The traditional approach to bug bounties places the burden of funding entirely on project teams, which can limit the scale and effectiveness of these programs. However, onchain solutions offer a more collaborative model by inviting community participation. Hörr highlighted the case of DXdao, where 75% of the bug bounty program was funded by the community, showing a collective commitment to the protocol’s security.

Bug bounties can be especially advantageous for new projects, offering more than just security. “You can even use liquidity mining with your own token,“ Hörr added. This approach allows projects to both drive activity within their protocol and simultaneously build up a security budget.

“So not only can you incentivize activity on top of the protocol, but you can also bootstrap your security budget and reward those who help identify vulnerabilities. Being onchain allows for all of these very interesting aspects of DeFi composability.” Hats Finance’s onchain approach enables projects to automate security spending, directing a portion of the project’s revenue to audit or staking programs.

Combating spam in bug bounties

A recurring challenge with traditional bug bounty programs is the influx of low-quality reports submitted in the hopes of earning a payout. Hats Finance mitigates this issue by using a built-in deterrent: submission fees.

“Because we are onchain, we have always had an organic and natural kind of spam protection,“ Hörr expressed. Every submission to the platform incurs a gas fee, making it economically infeasible to bombard projects with low-effort reports. The gas fees could be collected also contribute to the ecosystem, as they are converted into Hats (HAT) tokens and then put into the platform’s treasury. Despite this barrier, legitimate researchers are not dissuaded from participating, as Hörr noted: “The minimum reward for a low vulnerability is typically around $800.”

Streamlining decentralized audits across EVM chains

Currently operating on seven Ethereum Virtual Machine (EVM)-compatible chains, including Ethereum and Arbitrum, Hats Finance streamlines the audit process with a unified interface, allowing researchers to browse bounties and submit reports anonymously. For those seeking recognition, optional profiles enable participants to showcase their achievements and climb the leaderboard.

 “We have built large communities, particularly in India and South America. Solo researchers who consistently rank high can go freelance. We've seen entire companies formed from top performers,“ says Hörr. Even established security firms are finding value in competing on Hats Finance. “We have companies competing, especially in advanced areas like Rust or formal verification.”

The platform’s openness to new technologies, including AI-powered audits, allows Hats Finance to remain at the cutting edge of security solutions. “We want to block low-effort reports, but we don’t restrict participation based on whether the submitter is an individual, a company or even an AI,“ Hörr clarified.

Looking ahead, Hats Finance envisions a future where lead auditors emerge from the community. “Top performers on the leaderboard can offer pre-audit services for a fee, allowing projects to ensure audit readiness before committing to a full audit,“ Hörr added.

The Hats Finance founder also talked about the challenges of implementing account abstraction: “The interesting question we have now is what kind of vulnerabilities smart contract wallets bring with them. After all, the wallet is moving from a single address to a combination of smart contracts, where each element has a potential attack vector. So we have to make sure they’re really highly secure.”