• Proposal
  • OIP-17: Creation & Funding of Bug Bounty Program

Summary: Create a two tier bug-bounty and reward system, including a "Proof of Whitehat" NFT reward and a cash bonus. Fund the cash bonus at least partly through the use of treasury yield strategies, with remaining funds as needed coming from DAO funds.

Motivation: OHM needs to be secure and safe, and the best way to do that is to incentivize white hats to regularly search for bugs and potential exploits by offering them cold hard cash when they find one. We are a community based around cooperation. For 3,3 to be a lasting state of affairs, and to keep the mutual trust that requires, every ohmie must know that they are staking their money in a safe and regularly stress tested protocol.

Proposal:

The Tiers and Bounties:

  • Tier 1: For bugs/exploits which would lead to a loss of bond funds, a flat reward of $333,333.
  • Tier 2: For bugs/exploits which would lead to a loss of treasury funds, a flat reward of $3,333,333.

The "Proof of Whitehat" NFTs:
OHM will commission an NFT design to be minted on an as needed basis which will serve as proof that the address they are awarded to successfully identified either a tier-1 or tier-2 bug/exploit. These NFTs will recognize that address as a "Hero of Olympus" who is competent enough to serve as a white hat and can be trusted to act in good faith when properly incentivized. In essence these NFTs will serve as a letter of recommendation from all of Olympus DAO to the White Hats who help us identify and prevent bugs/exploits.

Source of Funds for Bug Bounty:
If approved this proposal will allocate 10% of treasury yield strategies to a ‘Bug Bounty Fund', set aside specifically to reward Heroes of Olympus (white hats) for their work helping keep OHM safe and secure. In the event additional funds are needed outside of what the Bug Bounty Fund can provide, funds will be allocated as needed out of general DAO funds.

Additional Details:
Any details which are not explicitly outlined in this post, but which must be decided upon in order to execute the Bug Bounty program (including but not limited to; what token/tokens the bounty is paid in, who is commissioned to create the NFT, etc.) shall be decided by Strategos.

Polling Period
The polling process begins now and will end at 12:58 UTC on August 5th, 2021. After this, a Scattershot vote will be put up at 12:58 UTC on August 7th, 2021.

Poll:
If the measure is approved, vote will proceed to Scattershot. If measure is not approved, vote will not proceed to Scattershot.

References: https://forum.olympusdao.finance/d/68-we-should-start-a-bug-bounty-program

Shall we implement the Bug Bounty program as detailed in the proposal text?

This poll has ended.

    I wish I could know how to debug in Solidity. Great proposal!

    Solid proposal to develop this bug bounty! This will be increasingly important as we add new treasury assets and more complex allocations of funds. Ohmies need to know that we prioritize treasury security above all else. Funds are safu!

    Yep, reward good behaviour. Save the day.

    even if I understand the role of the incentive correctly, I find it a little excessive, even almost an incentive to voluntarily leave bugs in the code to then earn the bounty kek. is it possible to consider 3 bonuses of 111 111 and 3 from 1 111 1111?
    and 3.3% instead of 10% of the cash for the fund?

      And perhaps compensation that's paid with an "option" of sorts, like the pOHM given to early investors. A fair sum, but one that vests and grows over time, further incentivizing the white-hats to keep our treasury secure on an on-going basis, not just one-and-done.

        Love to see this. We saw what happened to projects that suffered exploits: Alpha Finance, Cream Finance, etc. - their TVL dropped significantly which implied a lack of user confidence. An exploit would set Olympus back regardless of how much innovation or partnership we manage to advance.

        In the bounty tier, what about exploits that would lead to a loss of user funds? E.g. bugs that could cause a user to lose their staked OHM.

          kschan this program was designed to deal with those two “tiers” in particular but I’d be happy to work with you to add a third “tier” through a separate proposal later if you’re interested?

            proofofsteve I wonder why we couldn't include this in the same proposal? A separate proposal seems redundant imo. It is alright, I don't have enough understanding to propose the appropriate rewards for this kind of exploit.

              kschan I just don’t think it’s good practice to change the content of the proposal after votes are already in. But I suspect that adding a third “user funds” tier will be uncontroversial and I’ll work on it ASAP once the scattershot for the first two tiers is finished.

                Great idea in principle - but I think these bounties are excessive in comparison to everything else out there - we need to have a much longer discussion about the best way to do this for example Yearn and Synthetix have maximum payouts of $200,000 on https://immunefi.com/explore/ - this should return for further feedback from the community prior to going to snapshot

                Hey everyone,

                I'm Travin Keith, one of the Co-Founders of Immunefi, a bug bounty platform focused on crypto, and where Synthetix and Yearn are, as mentioned by @Mark11. Nice to see discussions about having a bug bounty program! Really like the "Proof of Whitehat" NFT reward as well! I think it'll be a great way to maintain community recognition. Though some whitehat hackers like to remain anonymous, there are definitely those that appreciate recognition.

                I think one thing to add as well is that a bug bounty program is more than just to attract whitehats, but also a last-stand attempt to convince a blackhat hacker to disclose a vulnerability responsibly instead of exploiting the bug and stealing user funds. So it's important to keep this in mind when thinking about the rewards.

                There seems to be some concern with regards to the reward amounts being too high, but I don't think that's too much of a problem because they're not paid out unless there's an actual vulnerability that could cause much more damage. What we do recommend though for large rewards is to have a scaling bug bounty, so that the reward is 10% of the economic damage. Having a hard cap for it though is understandable, but having it high can be a great marketing strategy to attract more whitehats as well as the attention of blackhats. We just launched the bug bounty program for TheGraph today which has $2.5m for critical vulnerabilities, the biggest one around crypto, and so the $3.3m one would definitely attract a lot of attention.

                As for what @kschan mentioned about the loss of user funds, we'd call this critical as well as it would definitely be quite catastrophic if user funds were directly stolen. The 10% of economic damage factor would also be good here so that the reward properly scales with impact as well. That way if only $10m can be stolen, the reward would just be around $1m and not the full cap.

                proofofsteve I'd be happy to provide further feedback to you about structuring a bug bounty program, and would be also happy to discuss having the bug bounty program for OlympusDAO on Immunefi, joining other notable projects around the DeFi space. One big thing with us is that we are actively growing our whitehat community, both through our whitehat scholarship program, as well as through general outreach. It's been quite helpful as well that we've had two of the largest payouts for bug bounty programs - $800k and $700k, so bug bounty hunters are more confident that they can actually get rewarded on our platform, even if the numbers are significantly higher than other platforms. Onboarding and maintenance is also free on our platform, on top of all of our advisory and promotional assistance 🙂 We just have a 10% performance fee. So if there are no bugs found at all, the DAO just pays $0.

                  AlexKID33 agreed with this. love the program. the incentives can be dampened down a little bit.

                  I think this program is a necessity for the strength and longevity of this protocol.

                  I think the rewards may need to be ironed out a little bit, in case perhaps there are a lot of bugs, and those maybe those bugs end up saving us long-term, however, what happens if so many are discovered in a short period that it causes large portion of treasury funds to be allocated to the bug bounty unexpectedly?

                  I'm pretty new to this, but this is something that came to mind that I think potentially needs to be ironed out a little more.

                  On the flipside, I love how juicy the incentives are, even as a complete solidity newbie I would be compelled to start bug chasing if I knew I could get a nice payout like that.

                  Long-term, I think these juicy rewards are definitely worth it for stakers and whoever saves Olympus from a catastrophic exploit. In a way, this would be our insurance, so let's not skimp on it, right?

                    It would be cool if we could have a little community call next week to discuss this! Very happy to help organize with you @proofofsteve maybe we can invite the @TravinImmunefi and answer community questions and try to settle down more of the detail

                      TravinImmunefi Thanks for the feedback. The original proposal did actually have a "% of funds which could have been lost" metric, but when I discussed w/ Strategos they were worried that was a little vague. There was the possibility that someone could find a bug and think it would have exploited $X, only for Strategos to say it would have exploited $Y. If Y<X, bug hunters could walk away feeling they got screwed.

                      In terms of the user funds loss, I agree completely it was an oversight. I think it's too late in the process to add that to this particular OIP, but as soon as this proceeds to Scattershot I'll draft up another OIP detailing it. Would love to chat more with you about this Travin, I will DM you on twitter.

                      Regarding what you mentioned @Mark11 I'm always down to join a community call. Currently in transit to Phuket over the next few days, but will be there and generally available during working hours after the 7th.

                        TravinImmunefi
                        Hi,

                        Thank you for your insight, very much welcomed!
                        After some consideration I'd like the scalable reward based on the economic damage. My main issue with it became that their would have to be some negotiation to determine what that damage would be in the end, losing valuable time.
                        How would this be resolved?

                          Supportive of this generally and happy to see ImmuneFi discuss more industry best practices.