• We should start a bug bounty program

Summary: Create a two tier bug-bounty and reward system, including a "Proof of Whitehat" NFT reward and a cash bonus. Fund the cash bonus at least partly through the use of treasury yield strategies, with remaining funds as needed coming from DAO funds.

Motivation: OHM needs to be secure and safe, and the best way to do that is to incentivize white hats to regularly search for bugs and potential exploits by offering them cold hard cash when they find one. We are a community based around cooperation. For 3,3 to be a lasting state of affairs, and to keep the mutual trust that requires, every ohmie must know that they are staking their money in a safe and regularly stress tested protocol.

Proposal:

The Tiers and Bounties:

  1. For bugs/exploits which would lead to a loss of bond funds, a flat reward of $333,333.
  2. For bugs/exploits which would lead to a loss of treasury funds, a flat reward of $3,333,333.

The "Proof of Whitehat" NFTs:
OHM will commission an NFT design to be minted on an as needed basis which will serve as proof that the address they are awarded to successfully identified either a tier-1 or tier-2 bug/exploit. These NFTs will recognize that address as a "Hero of Olympus" who is competent enough to serve as a white hat and can be trusted to act in good faith when properly incentivized. In essence these NFTs will serve as a letter of recommendation from all of Olympus DAO to the White Hats who help us identify and prevent bugs/exploits.

Source of Funds for Bug Bounty:
If approved this proposal will allocate 10% of treasury yield strategies to a ‘Bug Bounty Fund', set aside specifically to reward Heroes of Olympus (white hats) for their work helping keep OHM safe and secure. In the event additional funds are needed outside of what the Bug Bounty Fund can provide, funds will be allocated as needed out of general DAO funds.

    im too low IQ and do not know how to make a bounty works but security is the only thing we should never cheap out on.

    i'm IN 100% it has to be made please.

    $CORE developper made 1M bounty program after their audit, this is how it should be done to be safe.

    https://immunefi.com/ is the resource typically used by trusted projects (yearn, Sushi, Synthetix, etc). I have some experience writing security/bounty documentation and would be willing to help out here.

      This can't happen fast enough. It's the biggest underlying risk to the protocol and as we grow and gain mainstream attention in the coming weeks it's critical that we are secure.

      Ty for bringing this up. Devil is always in the details (ex: how do you make sure the bounty exceeds proceeds from a potential breach?) and there's no excuse not to tackle this in detail. Ty ser.

        mysselium33 I do not have the answer to that unfortunately. The issue with offering something that always rewards people in excess of the amount they could get for using the exploit themselves is that by default that cannot cover the truly fatal breaches. In other words imagine that someone figured out a way to drain 100% of RFV treasury, OHM just can't afford to cover 110% of that potential loss. It's an impossibility by its very nature.
        It's not a perfect answer but I think to a small degree you have to assume that if you over people some incentive to act ethically, there will be enough incentive for them to do so. Especially when those same people might be invested in OHM and want to see their investment (or the community they know and love) thrive.
        The alternative would be to find some sort of white hat firm and just keep them on regular retainer. But I'm not familiar enough with that side of things to say whether that's a better/worse option. @foks seems to know a bit about this, perhaps he can comment?

        • foks replied to this.

            Yup I hear you fren. I'm also curious whether anyone has used Sherlock (https://sherlock.xyz). It seems like an elegant solution to the problem- basically you create a compensation pool similar to what you'd set aside for bug bounty (prob larger tbh), where that pool is subordinated to the rest of the treasury and is paid to retained security experts over time if there are no exploits. exploits drain the pool first, then treasury.

              mysselium33 Should make it clear I'm an absolute newb when it comes to this but I do have some experience managing people, so if this is something where we need someone just to keep things ordered and moving forward I am down to put in time and effort as needed. Though again, I lack any sort of technical expertise or experience here. Just love me ohmies, simple as.

                proofofsteve @mysselium33 Financially, it would be impossible to offer +100% of potential losses as you mentioned (at that point, it's cheaper to simply get exploited). My understanding is that protocols offer incentives that are "good enough" to compel people to do the right thing and let them know. The compensation is structured depending on the severity of the potential exploit. I believe a combination of bug bounties and regular audits is how the vast majority of protocols maintain third party security. I have personally never heard of keeping firms on retainer but my experience is limited there anyways.

                    foks In the original post I outlined two potential tiers, I based this on something I had seen another protocol (can't remember but it might have been CORE or YEARN) and how they had structured their bounties.
                    I agree that the proper solution here is something like a standing bounty program and a regular audit from a neutral third party.

                      strongly in favor and agree with all the points made above.
                      re: compensating equal to potential exploit, i personally believe most would rather act ethically for less (but still solid comp) than unethically for maximum extraction. maybe thats the optimist in me, but Rune exploit yesterday is a good example (exploiter took 1/5 of what they could have, and pointed out what needs to be fixed).

                        Zeus

                        Thinking about it, might be possible to supplement monetary incentive w/ a "clout" based NFT incentive. Something like OHM minting a number of exclusive NFTs which are only distributed to bug/exploit finders. In addition to being worth something, they also functionally act as a letter of recommendation on that dev's "resume" for any future jobs in the white hat field. So with that in mind a potential structure could be:

                        1) Standing two tier bug bounty:
                        1a) Flat $X,000 reward for any bugs/exploits found which would not result in loss of user or treasury funds. Plus an exclusive Tier-1 Ohmie Bug-Slayer (or however you want to brand it) NFT marking the user who it was given to as a proven capable white hat and good actor.
                        1b) Flat $Y,000 reward for any bugs/exploits found which WOULD result in loss of user or treasury funds, plus Z% of the potential loss from that exploit (edit; capped at some % of RFV treasury). Plus an exclusive Tier-2 Ohmie Giga-Slayer NFT marking the user who it was given to as a proven capable white hat and good actor.

                        2) Plus some sort of regularized audit from a third party auditing service. Can't say whether this would be quarterly, semi-annual, monthly, etc. as I don't know the costs of that or what the appropriate scheduling would be.

                          I'm all for this, its a great idea!

                          Great proposal and right on time. I don't want to see us on rekt.news so let's do it.

                          The sooner the better on this...It seems Olympus is going to continue to introduce increased complexity. A program of quality assurance to keep the core devs honest and the people of the DAO protected will be key. +1 for me.

                          That is a very good idea. For the bugs, that does not impact treasury, I would set a levels based on how serious the bug is. You do not want to pay someone 30k for UI bug or something like that. Also, for the security thread one, we would have to allocate some fund, that will not be part of the rfv, because you do not want to have less rfv them issued bonds. Things might mess up protocol. We could allocate some value to the separate wallet or something like that for the bug hunting

                            Jochanan These are all great points @Jochanan .

                            I think the simple solution for the 'innocuous' bugs is to say 'Up to $30k per bug' and leave it to the core devs to decide.
                            Regarding the non-innocuous bugs, you're right that it can't come at the expense of the RFV treasury being lowered. I don't know enough about how things are currently structured to suggest where the money would come from and how the 'Bounty Fund' would grow. I just don't know enough about OHM's cash flows to make a meaningful suggestion. Do you have any particular ideas in mind?