Oliver Hörr, Director of Operations at smart bounty marketplace Hats Finance, shared valuable insights at the ETHBarcelona conference on launching projects without the risk of being hacked, proposing innovative solutions to code auditing, and encouraging ethical hacking.
In his speech, Hörr addressed the challenges of selecting auditors for web3 projects, highlighting the high costs and difficulty verifying their track records. To overcome this, he proposed two solutions. The first involves auditors having a “skin in the game” by allocating a portion of their payment into a bug bounty, sharing the project’s risk. This approach allows projects to consider tier two and three auditors, offering better value for the price.
The second solution focuses on improving code auditing by offering financial incentives to auditors. This encourages thorough code review and timely vulnerability notifications. Additionally, Hörr discussed conducting audit challenges or competitions, where a larger pool of auditors can participate, increasing the chances of identifying vulnerabilities effectively.
The speaker also highlighted the challenges faced by ethical hackers, sharing examples of legal consequences they have encountered when reporting vulnerabilities. He discussed the importance of vulnerability disclosure and bug bounty programs. He mentioned a case where a political party chose to sue instead of fixing a vulnerability reported to them, discouraging ethical hacking efforts.
To address these issues, Hörr proposed a system where bug bounties are securely held in a vault and only paid out when vulnerabilities are proven, leveraging platforms like Kleros. This system aims to enhance the efficiency of bug bounty programs and make ethical hacking a more attractive option.
Hörr emphasized that skilled hackers often come from reputable universities, debunking the misconception that they are solely young individuals in basements.
He shared that Hats Finance offers bounties ranging from $20,000 to $500,000, tailored to the project and vulnerability level. The speaker also addressed concerns about the legitimacy of bounties on external platforms and highlighted their model of rewarding the first person to discover a vulnerability, attracting top experts to their platform.
In conclusion, Oliver Hörr showcased the success of their project audits and collaborations with renowned auditors. He discussed the competition model as a promising approach to incentivize vulnerability discovery, acknowledging that auditors can make mistakes and recommending conducting initial audits with trusted firms. The competition model is particularly effective for mature code.
Hörr expressed the ongoing development of the competition model, exploring options to ensure report quality and adapting parameters for different scenarios.