Proposal: Increase Bancor's Bug Bounty Payout on Immunefi

This proposal is expected to appear on Snapshot for voting on 2021-11-14T12:00:00Z. Make sure to stake your vBNT for voting before this date and time to participate in the DAO decision.

Summary :

This proposal is seeking to increase the payout for the following vulnerabilities:

critical level vulnerabilities from the current $100K to $250K (plus an additional $50K from armor alliance, $250K is covered by us)
high level vulnerabilities from the current $12K to $50K
medium level vulnerabilities from the current $4K to $10K

Abstract:

Our current bug bounty payout is severely lagging behind our competitors and we should increase our bounties in order to be more in line with other DeFi protocols. The Bancor protocol currently holds over 1B+ in assets (half of which is protocol-owned $BNT). Increasing our bug bounty should inspire more confidence from our users and potentially drive more deposits into the protocol. More importantly, a higher bounty should attract white hat hackers that could potentially alert us to any vulnerabilities before they get exploited by malicious actors.

The current language for the Bancor bounty on immunefi is the following:

Payouts for Low to High bug reports as well as the first USD 50 000 of Critical bug reports are handled by the Bancor core devs directly and are denominated in USD. However, payouts are done in BNT . For Critical bug reports, the remaining USD 50 000 is paid by ArmorFi under the Armor Alliance Bug Bounty Challenge in ARMOR with a vesting period of up to 24 months.

as compared to the Sushiswap language which is the following:

Payouts are handled by the SushiSwap team directly and are denominated in USD . Payouts worth USD $100,000 and below are done in USDC . Payouts beyond USD $100,000 up to USD 1,000,000 are made in SUSHI , though the first $100,000 can be made in USDC if requested. Payouts above USD 1,000,000 have the remainder paid in ARMOR under the Armor Alliance Bug Bounty Challenge with a vesting period of up to 24 months.

I am proposing the following revised changes:

Payouts are handled by the Bancor core devs directly and are denominated in USD . Payouts worth USD $100,000 and below are done in USDC, USDT, or DAI. Payouts beyond USD $100,000 up to USD $250,000 are made in BNT, though the first $100,000 can be made in USDC, USDT, or DAI if requested. For Critical bug reports, an additional USD $50,000 is paid by ArmorFi under the Armor Alliance Bug Bounty Challenge in ARMOR with a vesting period of up to 24 months.

Motivation:

The recent high-profile exploits on other DeFi protocols have definitely put more focus on security across several DeFi protocols. While looking at our vulnerabilities I noticed that we were on the low end as compared to our peers. Below is a comparison between us and sushiswap to get a sense of how far behind we are:

image1101×808 34.3 KB

We can also see that Aave has implemented a $250K bounty for severe vulnerabilities that are almost certain to be exploitable:

image768×435 32.9 KB

Curve follows a similar approach with a payout of $250K for high vulnerabilities that are almost certain to be exploitable:

image742×317 38.2 KB

Our friends at Uniswap have a payout of up to $500K for any vulnerability that leads to the loss of LP funds:

image792×273 65.8 KB

Balancer takes this a step higher by offering $2M for critical severity vulnerabilities:

image840×789 23 KB

For:

Increase the payout on the following vulnerabilities:

critical level vulnerabilities from the current $100K to $250K (plus an additional $50K from armor alliance, 250K is covered by us)
high level vulnerabilities from the current $12K to $50K
medium level vulnerabilities from the current $4K to $10K

and update the language to the following:

Payouts are handled by the Bancor core devs directly and are denominated in USD . Payouts worth USD $100,000 and below are done in USDC, USDT, or DAI. Payouts beyond USD $100,000 up to USD $250,000 are made in BNT, though the first $100,000 can be made in USDC, USDT, or DAI if requested. For Critical bug reports, an additional USD $50,000 is paid by ArmorFi under the Armor Alliance Bug Bounty Challenge in ARMOR with a vesting period of up to 24 months.

Against:

Do not change the payout on any of the vulnerabilities

Please explain a little bit more. Are you suggesting that if there is a bug the DAO would cover this increase? Or the foundation? Or both? Please clarify how this would happen practically.

I don’t know if constant $ amounts per hack type make much sense. Consider a hack that would drain 100% TVL - 1.5B. $250k is not a large enough incentive in my opinion for any hacker to return or otherwise not hack those funds. Perhaps a % of hacked funds or potentially hacked funds * a percentage of likelihood makes more sense?

This is for our immunefi bounty which is out there publicly and is more targeted towards “white hack” or researchers that are trying to find vulnerabilities in protocols. This is also in line with what other DeFi protocols are doing for their vulnerabilities and does not diverge from the existing status quo.

With that said, If there is a malicious actor that has the ability to drain a bunch of our funds (say 100% TVL), I am certain with a high degree of confidence that he will not go down this route (bounty). If that does happen (dread the thought) then I think your suggestion makes perfect sense because there is precedent for other protocols doing this publicly while negotiating (via encoded messages in TXs or stating publicly on twitter etc…).

This is one possible way of how would I see this playing out:

1. Funds get compromised
2. Emergency proposal is made and quickly put on snapshot so that the DAO signals that it is willing to award 10% (or some other number) of economic damage caused by the attack
3. We publicly publicize this and make this known

It sounds like the foundation is covering the current bounty given the language (perhaps someone from the foundation or a core team member can confirm?):

Payouts are handled by the Bancor core devs directly and are denominated in USD

If the proposal passes and the Bancor DAO can compel the foundation to raise the bounty then I think it is the correct approach. The increase is in line with what other protocols are doing and right now we are at a disadvantage.

If the Bancor DAO can’t compel the foundation to raise the bounty (even if the proposal passes) then it should still be done but the payment would have to come from us (the DAO) via minting $BNT. The language would have to change to make this explicit

Payouts are handled by the Bancor core devs in conjunction with the Bancor DAO directly and are denominated in USD.

If that is indeed the case then it might make sense for us to pre mint $BNT (A small amount but enough to cover the cost of a few vulnerabilities. We can use 52-week average price of $BNT to make this determination and some threshold, say $1m USD or 250K $BNT if the average price was $4) to a community-owned (some members of the community and core bancor devs) multisig to have ready for these scenarios so that we are not delaying the payment process by waiting for a proposal on our end to pass. I can take this up separately as a follow-up proposal.

The proposal went up prematurely last time, I will have this go up again this upcoming Sunday.

I think you should clarify where the money would come from in the proposal itself - from the foundation or the DAO

I believe I addressed here:

let me know if that’s not clear?