• Proposal
  • OIP-17: Creation & Funding of Bug Bounty Program

And perhaps compensation that's paid with an "option" of sorts, like the pOHM given to early investors. A fair sum, but one that vests and grows over time, further incentivizing the white-hats to keep our treasury secure on an on-going basis, not just one-and-done.

    Love to see this. We saw what happened to projects that suffered exploits: Alpha Finance, Cream Finance, etc. - their TVL dropped significantly which implied a lack of user confidence. An exploit would set Olympus back regardless of how much innovation or partnership we manage to advance.

    In the bounty tier, what about exploits that would lead to a loss of user funds? E.g. bugs that could cause a user to lose their staked OHM.

      kschan this program was designed to deal with those two “tiers” in particular but I’d be happy to work with you to add a third “tier” through a separate proposal later if you’re interested?

        proofofsteve I wonder why we couldn't include this in the same proposal? A separate proposal seems redundant imo. It is alright, I don't have enough understanding to propose the appropriate rewards for this kind of exploit.

          kschan I just don’t think it’s good practice to change the content of the proposal after votes are already in. But I suspect that adding a third “user funds” tier will be uncontroversial and I’ll work on it ASAP once the scattershot for the first two tiers is finished.

            Great idea in principle - but I think these bounties are excessive in comparison to everything else out there - we need to have a much longer discussion about the best way to do this for example Yearn and Synthetix have maximum payouts of $200,000 on https://immunefi.com/explore/ - this should return for further feedback from the community prior to going to snapshot

            Hey everyone,

            I'm Travin Keith, one of the Co-Founders of Immunefi, a bug bounty platform focused on crypto, and where Synthetix and Yearn are, as mentioned by @Mark11. Nice to see discussions about having a bug bounty program! Really like the "Proof of Whitehat" NFT reward as well! I think it'll be a great way to maintain community recognition. Though some whitehat hackers like to remain anonymous, there are definitely those that appreciate recognition.

            I think one thing to add as well is that a bug bounty program is more than just to attract whitehats, but also a last-stand attempt to convince a blackhat hacker to disclose a vulnerability responsibly instead of exploiting the bug and stealing user funds. So it's important to keep this in mind when thinking about the rewards.

            There seems to be some concern with regards to the reward amounts being too high, but I don't think that's too much of a problem because they're not paid out unless there's an actual vulnerability that could cause much more damage. What we do recommend though for large rewards is to have a scaling bug bounty, so that the reward is 10% of the economic damage. Having a hard cap for it though is understandable, but having it high can be a great marketing strategy to attract more whitehats as well as the attention of blackhats. We just launched the bug bounty program for TheGraph today which has $2.5m for critical vulnerabilities, the biggest one around crypto, and so the $3.3m one would definitely attract a lot of attention.

            As for what @kschan mentioned about the loss of user funds, we'd call this critical as well as it would definitely be quite catastrophic if user funds were directly stolen. The 10% of economic damage factor would also be good here so that the reward properly scales with impact as well. That way if only $10m can be stolen, the reward would just be around $1m and not the full cap.

            proofofsteve I'd be happy to provide further feedback to you about structuring a bug bounty program, and would be also happy to discuss having the bug bounty program for OlympusDAO on Immunefi, joining other notable projects around the DeFi space. One big thing with us is that we are actively growing our whitehat community, both through our whitehat scholarship program, as well as through general outreach. It's been quite helpful as well that we've had two of the largest payouts for bug bounty programs - $800k and $700k, so bug bounty hunters are more confident that they can actually get rewarded on our platform, even if the numbers are significantly higher than other platforms. Onboarding and maintenance is also free on our platform, on top of all of our advisory and promotional assistance 🙂 We just have a 10% performance fee. So if there are no bugs found at all, the DAO just pays $0.

              AlexKID33 agreed with this. love the program. the incentives can be dampened down a little bit.

              I think this program is a necessity for the strength and longevity of this protocol.

              I think the rewards may need to be ironed out a little bit, in case perhaps there are a lot of bugs, and those maybe those bugs end up saving us long-term, however, what happens if so many are discovered in a short period that it causes large portion of treasury funds to be allocated to the bug bounty unexpectedly?

              I'm pretty new to this, but this is something that came to mind that I think potentially needs to be ironed out a little more.

              On the flipside, I love how juicy the incentives are, even as a complete solidity newbie I would be compelled to start bug chasing if I knew I could get a nice payout like that.

              Long-term, I think these juicy rewards are definitely worth it for stakers and whoever saves Olympus from a catastrophic exploit. In a way, this would be our insurance, so let's not skimp on it, right?

                It would be cool if we could have a little community call next week to discuss this! Very happy to help organize with you @proofofsteve maybe we can invite the @TravinImmunefi and answer community questions and try to settle down more of the detail

                  TravinImmunefi Thanks for the feedback. The original proposal did actually have a "% of funds which could have been lost" metric, but when I discussed w/ Strategos they were worried that was a little vague. There was the possibility that someone could find a bug and think it would have exploited $X, only for Strategos to say it would have exploited $Y. If Y<X, bug hunters could walk away feeling they got screwed.

                  In terms of the user funds loss, I agree completely it was an oversight. I think it's too late in the process to add that to this particular OIP, but as soon as this proceeds to Scattershot I'll draft up another OIP detailing it. Would love to chat more with you about this Travin, I will DM you on twitter.

                  Regarding what you mentioned @Mark11 I'm always down to join a community call. Currently in transit to Phuket over the next few days, but will be there and generally available during working hours after the 7th.

                    TravinImmunefi
                    Hi,

                    Thank you for your insight, very much welcomed!
                    After some consideration I'd like the scalable reward based on the economic damage. My main issue with it became that their would have to be some negotiation to determine what that damage would be in the end, losing valuable time.
                    How would this be resolved?

                      Supportive of this generally and happy to see ImmuneFi discuss more industry best practices.

                        tigerlily I think the rewards may need to be ironed out a little bit, in case perhaps there are a lot of bugs, and those maybe those bugs end up saving us long-term, however, what happens if so many are discovered in a short period that it causes large portion of treasury funds to be allocated to the bug bounty unexpectedly?

                        I'm pretty new to this, but this is something that came to mind that I think potentially needs to be ironed out a little more.

                        We could set a hard cap of funds that can be paid out so that if many are submitted at the same time, assuming that they're all valid and are not duplicates (as otherwise they would just simply be rejected), they're rewarded on a first-come-first-served basis, and then the rest have a claimable coupon of sorts for the future once the pool is refreshed.

                        Mark11 It would be cool if we could have a little community call next week to discuss this! Very happy to help organize with you @proofofsteve maybe we can invite the @TravinImmunefi and answer community questions and try to settle down more of the detail

                        I'd be happy to join the community call. When will it be next week? The afternoon of the 11th generally works best for me, but I could do the 10th in the mid evening. All times CEST.

                        proofofsteve There was the possibility that someone could find a bug and think it would have exploited $X, only for Strategos to say it would have exploited $Y. If Y<X, bug hunters could walk away feeling they got screwed.

                        As for addressing this issue, a Proof of Concept (PoC) would then be provided. The amount to be rewarded would then be based on that PoC. This would be something that the team could test themselves. Though we don't really provide a triaging service, if it gets to a strong disagreement, we could do the test ourselves as well as a neutral third party, as well as try to do some mediation. It's incredibly unlikely though that testing the same PoC under what would be the correct conditions (e.g forking the public network into a private network from the right block and implementing the PoC) would yield different results. Though it could be argued that we are not completely neutral since we are paid based on the payout to the bug bounty hunter, it should be noted that a large flat payout is actually in our benefit as then we get the max payout every time but yet I'm recommending this instead.

                        That said, for the treasury, depending on how it's set up, it might be very unlikely for there to be scenarios where the treasury is only partially drained. I will need to spend a bit more time understanding the treasury structure to be able to understand this better, but perhaps this is something we can discuss for the next OIP.

                        Wartull Hi,

                        Thank you for your insight, very much welcomed!
                        After some consideration I'd like the scalable reward based on the economic damage. My main issue with it became that their would have to be some negotiation to determine what that damage would be in the end, losing valuable time.
                        How would this be resolved?

                        My answer above should address most of this, but I thought I'd tag you too since you brought it up. I should also add that this becomes more relevant when we're talking about user funds.

                        Don_G_Lover Supportive of this generally and happy to see ImmuneFi discuss more industry best practices.

                        Thanks for reading! I know I sometimes write too much 😁

                        Write a Reply...