• Proposal
  • OIP-34: Adding language to Tier 1 of Bug Bounty

Summary

This proposal is designed to add a second category of bugs to Tier 1 of the Bug Bounty program outlined in OIP-17. This new tier will cover “bugs/exploits which could lead to a loss of user funds” and will provide a flat fee reward of $333k per vulnerability/exploit.

Motivation

In the aftermath of the Jay-Pegs/Miso incident, 865 ETH (around $2.5m if you price them at an average of $3k per ETH) were stolen from Miso users through a UI exploit which replaced the proper wallet address for the sale with a scammer’s address.

Funds were recovered thanks to diligent work by the Sushi team (and allegedly a threatening shipment of Chinese food). However, when reading about this it occurred to me that this vulnerability would not have been covered under any of OIP-17’s current tiers, and thus not available for a bounty.

The point of a Bug Bounty is to incentivize developers to report vulnerabilities and exploits to be fixed, instead of taking advantage of them. Taking advantage of vulnerabilities is a risky proposition, if someone finds out who you are you could face legal or extrajudicial consequences. Providing someone with a way to make money off of doing the right thing instead does not only give them a monetary incentive to help improve the security of Olympus, it also lets them avoid the stress of having to look over their shoulder worrying about when the hammer might come down. This game theory principle applies to exploits that would allow a hacker to drain user funds just as much as it does one that would allow them to drain treasury funds.

Accordingly, I believe it is in Olympus’ best interest to add the additional “bug type” to Tier 1 of the Bug Bounty program created through OIP-17.

Proposal

Change the text of Tier 1 of the Bug Bounty program to read, “Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of $333,333.”
When management and chain of command is set for managing the Bug Bounty program and allocating rewards for submitted bugs (a plan for this this will be detailed in a separate project proposal currently in the works by Zayen X and Proof of Steve, but in the event that project proposal does not pass the program will remain in the hands of Strategos in general), this updated text will be included in their disclosures for bug hunters and will be used as the base rule for examining submitted bugs.

Polling Period

The polling process begins now and will end at 10:00 UTC on 13/10/2021. After this, a Scattershot vote will be put up at 10:00 UTC on 15/10/2021.

Poll

For: The text of Tier 1 of the Bug Bounty program, in all official disclosures, will be changed to read “Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of $333,333.”

Against: The text of Tier 1 of the Bug Bounty program will not be changed.

For or Against the Outlined Proposal

This poll has ended.

Very much agree with making the bounty criteria more clear. In support!

A no-brainer. Thanks for staying with this train of thought and coming back and updating the community. We are in good hands.

Being explicit about the what the bounty covers is important. Sounds solid to me!

Exploitation of the platform is my greatest Olympus fear.

Bug bounties benefit all parties involved: the DAO, the users, and the hard work of the security researcher.

Personally, I'd like to see bug bounties grow over time as the treasury reserves increase. I mean, if there are billions in reserve and an exploit could steal a majority of those billions, why not pay $3.3 million? Small price to pay for the honesty of the security researcher.

  • MrE replied to this.

    gnostication I agree! I was mulling this over, I wonder if it makes sense to add a framework based on moving average of MC that ups the amount of bounty paid out after certain thresholds are met. i.e breaking 5 billion market cap and sustaining it moves the bug payout to some % of MC, I think the current payouts are inadequate, but to each their own. This program will continue to develop as we grow, but it is productive for the project community members to see this on the forum to get people to start thinking about the "what if" we turn into a trillion dollar asset. $3.3 million dollars doesn't compensate.

    Write a Reply...