• Proposal

  • OIP-77: New Tier for Bug Bounty & Awarding of One Retroactive Bounty

Summary

This proposal is designed to add a third tier of bugs to the Bug Bounty program outlined in OIP-17, OIP-34, and OIP-38. This new tier will cover “bugs/exploits which could lead to an incorrect rebase amount” and will provide a flat fee reward of $33,333 per vulnerability/exploit. This OIP also will retroactively award 1 bug bounty of this size to a submission previously received through ImmuneFi which would have qualified under this tier, should it pass review by engineering.

Motivation

After we launched the bug bounty with ImmuneFi we have received a a bug which, in extreme cases, could lead to incorrect rebase amounts. This bug does not qualify under Tiers 1 or 2 of the Bug Bounty as currently specified. However, Bug Bounty Management unanimously agrees the efforts of the whitehats who brought this to our attention should be rewarded, and we should encourage people to bring forward more bugs of this nature.

Accordingly, I believe it is in Olympus’ best interest to add the additional “bug type” to the Bug Bounty program created through OIP-17, and to provide a bounty of $33,333 and a Proof of Whitehat NFT to the aforementioned whitehats should their bug submission pass review with engineering.

Proposal

Change the text of the Olympus Bug Bounty from:

Critical vulnerabilities are further subcategorized into two tiers:

  • Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of USD 333 333 is provided.

  • Tier 2: For bugs/exploits which would lead to a loss of treasury funds, a flat reward of USD 3 333 333 is provided.

To

Critical vulnerabilities are further subcategorized into three tiers:

  • Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of USD 333 333 is provided.

  • Tier 2: For bugs/exploits which would lead to a loss of treasury funds, a flat reward of USD 3 333 333 is provided.

  • Tier 3: For bugs/exploits which would lead to an incorrect rebase amount, a flat reward of USD 33 333 is provided.

Additionally this OIP authorizes the retroactive awarding of one Tier 3 Bounty and one Proof of Whitehat NFT to one whitehat team which had previously submitted a bounty which would have qualified under Tier 3 (the details of which will be disclosed once a fix is implemented), if said bug passes review with engineering which it is currently undergoing.

Polling Period

The polling process begins now and will end at 10:00 UTC on February 3rd 2022. After this, a Scattershot vote will be put up at 10:00 UTC on February 4th 2022.

Poll

For: The text of the Bug Bounty program, on the ImmuneFi website, will be changed as previously specified and one Tier 3 bounty and proof of whitehat nft will be awarded retroactively.

Against: The text of the Bug Bounty program will not be changed.

For or Against the Outlined Proposal

This poll has ended.

This proposal makes sense to me. It incentivizes bounty hunters to look in areas with financial impact to the DAO that might otherwise go unnoticed.

Don't have anything to add, but I just wanted to voice my support - it makes sense to keep updating the bug bounty programme in order to encourage whitehat testing/hacking.

Seems like a common sense update to the program.

I personally and professionally, in my Immunefi capacity, believe that this is the right way forward. It is clear that this type of bug report is valued and so it makes sense to extend the bug bounty program to cover this.

I would also like to commend @ProofofSteveGM and the others whom we've worked with so far for the existing bug bounty program. Many programs in the past have taken very hardline stances even when there were things of value and actions were taken. While this has been ok in some situations, there are certainly some that call for additional considerations and planning, and I believe this is one of them. The recognition to need to not only add flexibility with additional coverage but also retroactively reward a contribution that would've fallen under this is further sign that they greatly care about securing Olympus.

    Great to add clarity to the existing framework - appreciate the transparency & supportive!

    5 days later

    @ProofofSteveGM TravinImmunefi

    Hello!

    Have you considered adding a wider scope to your OlympusDAO Immunefi Bug Bounty program?

    We have found and reported pretty serious vulnerabilty however, sadly it's marked as OOT (which we understand).

    However we would really appericate if there was a new proposal for adding more wider scope, as current one, only one OlympusDAO domain is in scope, maybe you can check our report and you will see the possibilty of real-world impact.

    UGWST.COM

      I like the idea but think that verbiage on this new tier is too restrictive. I suggest changing it to encapsulate any bug the team deems worthy of a reward vs limiting it to those affecting rebase amounts. This would future proof the new tier should the need arise for something unrelated to rebases.

      Write a Reply...