Set Aside Funds for an ImmuneFi Bug Bounty Program

Summary
Bug bounty programs incentivize white hat hackers to probe at a project’s smart contracts for vulnerabilities. ImmuneFi is the leading platform in DeFi at the moment for coordinating such programs and is relied upon by market leaders like Synthetix, Nexus Mutual, Chainlink, and Sushiswap.

This proposal would look to allocate between $100,000 and $250,000 for this initiative.

Description
Pavlo and I had the chance to speak with ImmuneFi’s founder, Travin, about the program and found the following points to be relevant:

  • They’ve found that $100K is the magic number for attracting whitehat hackers; programs with less than $50K tend to attract less hackers, while those beyond $250K don’t necessarily attract greater attention

  • The sum set aside is totally based on trust and does not need to be escrowed prior to a payout, should one occur

  • Stablecoins are typically preferred over native assets

ImmuneFi offers the following with its platform:

  • PR and communications assistance for the launch and major updates to the bug bounty program

  • Access to a secure bug disclosure dashboard (unlimited number of users per client can be onboarded)

  • Light filtering of bug reports to remove clear spam (including reports that are clearly out of scope such as copyright year errors, etc.)

  • Assistance on PR and Comms, including a postmortem write-up, for critical vulnerabilities discovered on our platform, depending on Immunefi’s availability

In exchange for these services, ImmuneFi has the following cost structure:

  • USD 0 onboarding and structuring advisory fees

  • USD 0 ongoing maintenance fees

  • A performance fee of 10% on top of the rewards to the bug bounty hunters (e.g a reward of USD 1000 equivalent to the bug bounty hunter means Immunefi gets USD 100 on top of it)

Motivation
Pavlo and I reached out to ImmuneFi because the lack of a bug bounty program currently presents a drag on BarnBridge’s DeFi Safety Rating. Given that bug bounties are standard throughout crypto and legacy tech, we were interested in figuring out the ideal sizing and provider for such a program.

What makes the concept even more compelling is that with the launch of SMART Yield on Polygon, we would be able to earn yield on the bounty sum that is set aside with minimal friction. One such such strategy could be to deposit the sum into the highest yielding senior tranche for a given week, and every week assess whether a payout needs to be made or if the senior tranche can simply be rolled over for the next week, and so on. The absence of material gas fees allows this strategy to earn positive yield even in low-interest rate environments.

Technical details
The sum allocated to the program would be transferred from the DAO to the multisig being used for treasury management (i.e., the one established for the previous Bancor deposit). These funds would then be deployed on Polygon SMART Yield, with regular roll over of the funds into senior bonds with one-week durations.

Useful Links

Argumentation
For:

  • Provides an on-ramp for community developers to get familiar with our code
  • Takes advantage of the open source hivemind
  • Allows the community to earn yield without asking the DAO to provide a blank check
  • Taps into ImmuneFi’s white hat hacker community

Against:

  • False alarms take up developer time
  • Opportunity cost of not investing the money elsewhere

DAO Vote
There is currently no timeline planned for bringing this to community vote. Please use this thread to give your opinion on:

  • Whether or not you’d like to see such a program established
  • What sum you’d like to see set aside for the program
  • Who you would prefer over ImmuneFi to host this program, if any

We’ll look to have Travin answer questions you may have both here in the forum and in the #Embassy channel on the Discord.

5 Likes

I think this a good investment to help increase the DeFi Safety Rating and spread the word about BarnBridge via incentivizing hackers. 100k seems like an appropriate amount and the SMART Yield strategy via the upcoming Polygon integration makes sense. Considering the community vote was created and passed, would the bug bounty program roll out around the same time as the Polygon integration launch?

1 Like

If it can help with our DeFi Safety Rating I’m in favor of this idea. I have respect for white hackers and I think it is good idea to incentivize them. If we could use this funds for yield on Polygon that is just perfect! I also agree with 100k…

2 Likes

It’s definitely a good opportunity to continue establishing BarnBridge’s authority as a secure and reliable protocol. Taking into consideration that participating in ImmuneFi bug bounty program doesn’t require us to provide the bug bounty budget upfront, it’s almost a no-brainer as we could merge it with some treasury allocation strategies that were discussed earlier in the Discord governance channel.

Aside from that, as was already mentioned, it will help us maintain a healthy DeFi Safety Score. I think this is really valuable, as DeFi Safety has just updated their Process Review to 0.7 and we would have our score dropped a bit if we were not working towards the bug bounty program.

2 Likes

No brainer.

Anything that makes our contracts more secure should be an imperative.

Costs seem reasonable considering the TVL our contracts currently secure and the growth we anticipate with the product roll-out blitz coming over the next couple of months.

3 Likes

I’m in favor of this, as the cost seems relatively low compared to the security benefits and the DeFi Safety Ratings bump. Love the idea of using the Poly pool to earn yield while program runs.

I’m all for this - I think the Snapshot vote should include options for $100k, $150k, $200k, and $250k so we can determine which level would have the most community support. Personally either $150k or $200k feels like the right number to me.

Also, this is probably slightly outside the scope of this forum post, but maybe we could allocate 200% or 300% of the agreed upon bounty into SMART Yield - Polygon so we earn interest income at a faster rate to compensate for any early payouts.

1 Like

absolutely. great proposal.