This proposal is designed to add a second category of bugs to Tier 1 of the Bug Bounty program outlined in OIP-17. This new tier will cover “bugs/exploits which could lead to a loss of user funds” and will provide a flat fee reward of $333k per vulnerability/exploit.
In the aftermath of the Jay-Pegs/Miso incident, 865 ETH (around $2.5m if you price them at an average of $3k per ETH) were stolen from Miso users through a UI exploit which replaced the proper wallet address for the sale with a scammer’s address.
Funds were recovered thanks to diligent work by the Sushi team (and allegedly a threatening shipment of Chinese food). However, when reading about this it occurred to me that this vulnerability would not have been covered under any of OIP-17’s current tiers, and thus not available for a bounty.
The point of a Bug Bounty is to incentivize developers to report vulnerabilities and exploits to be fixed, instead of taking advantage of them. Taking advantage of vulnerabilities is a risky proposition, if someone finds out who you are you could face legal or extrajudicial consequences. Providing someone with a way to make money off of doing the right thing instead does not only give them a monetary incentive to help improve the security of Olympus, it also lets them avoid the stress of having to look over their shoulder worrying about when the hammer might come down. This game theory principle applies to exploits that would allow a hacker to drain user funds just as much as it does one that would allow them to drain treasury funds.
Accordingly, I believe it is in Olympus’ best interest to add the additional “bug type” to Tier 1 of the Bug Bounty program created through OIP-17.
Change the text of Tier 1 of the Bug Bounty program to read, “Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of $333,333.”
When management and chain of command is set for managing the Bug Bounty program and allocating rewards for submitted bugs (a plan for this this will be detailed in a separate project proposal currently in the works by Zayen X and Proof of Steve, but in the event that project proposal does not pass the program will remain in the hands of Strategos in general), this updated text will be included in their disclosures for bug hunters and will be used as the base rule for examining submitted bugs.
The polling process begins now and will end at 10:00 UTC on 13/10/2021. After this, a Scattershot vote will be put up at 10:00 UTC on 15/10/2021.
For: The text of Tier 1 of the Bug Bounty program, in all official disclosures, will be changed to read “Tier 1: For bugs/exploits which would lead to a loss of bond funds or a loss of user funds, a flat reward of $333,333.”
Against: The text of Tier 1 of the Bug Bounty program will not be changed.