[RFC] - Establishment of a Bug Bounty Program:

Name: [RFC] - Establishment of a Bug Bounty Program

Scope: Bug Bounty Programs are one of the best ways to secure projects. This proposal shall lay the foundation for a Bug Bounty Program that will protect and reduce vulnerabilities within our project, through reward of skilled white-hat analysts.

Link to previous [DAO Discussion]: “[DAO Discussion] - Bug Bounty Program”

Objective: Protect Treasury Assets through rewarding white-hat hacking and analysis.

Provide a High Level Overview: Rewarding white-hat hacking and analysis of our project through assets designated in the treasury: we can reduce the risk of black-hat hackers who could steal or wreck us way worse. This is done by establishing a reserve of MIMs used only towards fulfilling bug bounty payouts.

Provide Low Level Details:

Business and/or technical requirements of the implementation of the proposal:

• If a bug bounty program is established, Treasury Managers shall be responsible for controlling or delegating the program, faithfully as established by this proposal and in ways it shall benefit Wonderland. The program managers shall be responsible for privately examining bug bounty claims from white-hats and determining its severity and reward consequently.
• No funds shall be paid out without approval of the Treasury Managers, despite who is decided to be responsible for the program.

So far i dont think there is a problem, but with more time and if new code its added (it will probably happen) we could have this bug bounty program up for a certain period of time, so things like what happened with the fantom and tomb LP in grim doesnt happen, they were audited for the exact same problem they got exploited, becase of new code (i believe it was like this correct me if im wrong).
Also audits arent cheap, so if we want to make some audits because of new code that we dont know it can be problematic or not we might be using a lot of money that it may be not necesary? like, obvisouly securing wonderland its a top priority always but we might be able to do it ourselves with the bug bounty

That’s a logical step for any serious projects. I don’t know any Olympus forks with such a thing, even Olympus doesn’t have a bug bounty program imo. It will help us to get #1 in this space in terms of security! Easiest vote i’ve ever made so far!

I think Klima DAO has actually introduced it last month, but their bounties are up to $500k, which is pretty cool.

Totally agree that the bounty program is needed for the longevity of the protocol, even if it costs more than what is currently laid out in the proposal. As long as the program protects the main funds in the treasury for everyone.

In the long term run, especially when new code will be added, this can be a crucial point.

This crypto and defi space is well known for all the hacking which have been done and every week new ones come. Use a part of Dao’s fund to keep the best security on the space is an incentive to invest even more.

Maybe I’m lacking in knowledge about this argument, but to me the security of the protocol is one of the most important point.

So who do you mean when you say “Treasury Managers” ? Sifu ? Or the team in general ?

Not sure I would put the treasury managers in charge compared to a dev that may be better equipped to judge the importance of the bug ?

I’m ok with the team delagating to whoever they feel is best. I Just think the “treasury managers” wording is weird.

When you say no fund can be paid out without the treasury managers, do you mean they have a say on the amount ? Or only confirmation/approval of the payment like the multisig ?

Sifu and Daniele, the people actually making the calls with what is done with the treasury.

They have to agree that it’ll be paid out: amount, conditions, etc.

Using an established bug bounty platform may be helpful to us as well. An example: Immunefi

Search for “DAO” to see how others are using it.

I think this is a great idea. Especially since this is literally a digital treasury, you probably have thousands of hackerz trying to find way in.

Recently the multi sig was moved to Gnosis Safe (Gnosis Safe Integrates with Avalanche, Expanding Security Tools for Developers and Users | by Avalanche | Avalanche | Dec, 2021 | Medium). The code that is being used has been battle tested by securing millions of tvl in the past. The rebase code as well as minting mechanism comes from the OlympusDAO code base.

The multisig comes from Gnosis Safe which stores over 100 billion USD worth of digital assets. They adhere to top security standards.

In case new code is being developed by our internal team, a bug bounty proposal makes sense which clearly indicates the rewards and scope of the program. And should be included in the budget of developing a new product.

Additional investment opportunities such as the recently suggested liquid staking proposal could benefit from a bug bounty to help secure the product.

I believe that this RFC is too generalized but the idea of securing code and products with a bug bounty is an important step which should be included in any new proposal that aims to build products and seeks investments from the DAO.

Yup agree 100%. Bounty programs are always a good idea, it increases the security of the project.

Good stuff. Nice suggestion @Patchy319

Polygon has been in working for long time but still had a critical bug in its PoS genesis contract [Source]. So, IMO, I find it difficult to be sure that OlympusDAO rebase code & minting mechanism would be free from any vulnerabilities.

With all due respect.

agreed on the olympus codebase part. I will look into numbers and options for us to create a bounty program and will share my findings here.

No brainer. I’m open to making the bounty more competitive (ie., higher) as an incentive.

This RFC gets a strong yes from me.