Bug bounty programs incentivize white hat hackers to probe at a project’s smart contracts for vulnerabilities. ImmuneFi is the leading platform in DeFi at the moment for coordinating such programs and is relied upon by market leaders like Synthetix, Nexus Mutual, Chainlink, and Sushiswap.
This proposal would look to allocate between $100,000 and $250,000 for this initiative.
Pavlo and I had the chance to speak with ImmuneFi’s founder, Travin, about the program and found the following points to be relevant:
They’ve found that $100K is the magic number for attracting whitehat hackers; programs with less than $50K tend to attract less hackers, while those beyond $250K don’t necessarily attract greater attention
The sum set aside is totally based on trust and does not need to be escrowed prior to a payout, should one occur
Stablecoins are typically preferred over native assets
ImmuneFi offers the following with its platform:
PR and communications assistance for the launch and major updates to the bug bounty program
Access to a secure bug disclosure dashboard (unlimited number of users per client can be onboarded)
Light filtering of bug reports to remove clear spam (including reports that are clearly out of scope such as copyright year errors, etc.)
Assistance on PR and Comms, including a postmortem write-up, for critical vulnerabilities discovered on our platform, depending on Immunefi’s availability
In exchange for these services, ImmuneFi has the following cost structure:
USD 0 onboarding and structuring advisory fees
USD 0 ongoing maintenance fees
A performance fee of 10% on top of the rewards to the bug bounty hunters (e.g a reward of USD 1000 equivalent to the bug bounty hunter means Immunefi gets USD 100 on top of it)
Pavlo and I reached out to ImmuneFi because the lack of a bug bounty program currently presents a drag on BarnBridge’s DeFi Safety Rating. Given that bug bounties are standard throughout crypto and legacy tech, we were interested in figuring out the ideal sizing and provider for such a program.
What makes the concept even more compelling is that with the launch of SMART Yield on Polygon, we would be able to earn yield on the bounty sum that is set aside with minimal friction. One such such strategy could be to deposit the sum into the highest yielding senior tranche for a given week, and every week assess whether a payout needs to be made or if the senior tranche can simply be rolled over for the next week, and so on. The absence of material gas fees allows this strategy to earn positive yield even in low-interest rate environments.
The sum allocated to the program would be transferred from the DAO to the multisig being used for treasury management (i.e., the one established for the previous Bancor deposit). These funds would then be deployed on Polygon SMART Yield, with regular roll over of the funds into senior bonds with one-week durations.
- Example project landing page on ImmuneFi
- Current available fees in the DAO treasury
- Example post-mortem
- DeFi Safety Score rubric
- Provides an on-ramp for community developers to get familiar with our code
- Takes advantage of the open source hivemind
- Allows the community to earn yield without asking the DAO to provide a blank check
- Taps into ImmuneFi’s white hat hacker community
- False alarms take up developer time
- Opportunity cost of not investing the money elsewhere
There is currently no timeline planned for bringing this to community vote. Please use this thread to give your opinion on:
- Whether or not you’d like to see such a program established
- What sum you’d like to see set aside for the program
- Who you would prefer over ImmuneFi to host this program, if any
We’ll look to have Travin answer questions you may have both here in the forum and in the #Embassy channel on the Discord.