✅ [RFC] mStable <> Immunefi Protocol Partnership

Summary

  • This proposal is to mStable’s participation as a pilot partner in Immunefi’s upcoming bug bounty protocol launch, and funds to back its bug bounty program onchain.

Abstract

  • Immunefi is the leader in DeFi bug bounties, protecting over $80b in user founds across protocols like Yearn, Polygon, Sushiswap, Nexus Mutual, Compound, Synthetix, Arbitrum, Pancakeswap, and 170+ more. Immunefi has prevented over $2 billion USD in direct theft to its partners to date, and far more than that in aggregate economic damage.
  • Immunefi has been supporting mStable’s bug bounty program for more than 6 months, and disclosed vulnerabilities to the mStable team. Immunefi has been consistently impressed with the effectiveness and professionalism of mStable.
  • Immunefi is building a first-of-it’s-kind bug bounty protocol to maximise incentives for hackers to disclose critical vulnerabilities to projects.
  • Today, trust remains a major problem for hackers in DeFi. While some hackers trust Immunefi to secure their interests if they report valid vulnerabilities, others adopt a hack first, return funds later approach to ensure they are compensated according to the value of the vulnerability they discover.
  • Immunefi will end this trend by providing unbreakable trust assurances to hackers that they will be compensated for their vulnerabilities. This will further increase the security of participating projects by increasing incentives to disclose vulnerabilities.
  • To provide these trust assurances Immunefi has built an onchain protocol for participating projects to escrow funds, and a council of experts to guarantee that hackers are treated fairly. This council will have the power to disburse funds according to the terms of a projects bug bounty program. Immunefi sees this as a comprehensive upgrade to its product that dramatically enhances partner security.
  • Furthermore, there will be token incentives for participating projects, rewarding them for operating in good faith with the security community and putting the community interest first. Numerical details are TBD.
  • As one of our first and most supportive partners, Immunefi would like to invite mStable to be a pilot partner of our protocol. To that end, we propose that mStable earmark $100,000 DAI to back its bug bounty program in Immunefi’s future onchain protocol.

What Immunefi needs from mStable to partner here

  • Agreement to earmark, and then deposit, funds equal to its maximum critical bug bounty ($100,000 in DAI today) in Immunefi’s onchain protocol.
  • No further action is required; the program will be run and managed according to mStable’s existing program rules, policies, and technical team. Immunefi will continue supporting mStable’s bug bounty program however possible.

What Immunefi will do

  • Immunefi will inform the mStable core team when the protocol is fully ready for launch, and provide deposit instructions to the team. ETA is at least one quarter, or 3mo.
  • mStable will receive hands-on support from Immunefi team members for launching its onchain integration to ensure a smooth onboarding.
  • As a pilot partner, mStable will receive token incentives for being among the first users of its onchain protocol, with specific reward numbers to be shared with the mStable team at a future date.

Next steps

  • Approval of earmarking funds for future funding of mStable’s bug bounty program onchain
    • $100,000 in DAI

EDITED: Corrected currency.

3 Likes

Something directly in my wheelhouse to comment on!

I’ve been impressed with Immunefi since I first heard about it about 8 months ago. As an infosec professional from the ‘old’ world of network and web assessment, I’ve found the bugbounty situation in Web3 to be fascinating. It’s a potent reversal of the power dynamic between hacker and company. I’ve consistently found Immunefi’s messaging timbre around this topic to be balanced, and I appreciate that.

As for the proposal, I like the idea and I would like bounties to be less reputationally based than they are now. Having projects lock up funds seems like a typical way to do this, and forces projects to formally back up their word on taking bounties seriously.

I’d like there to be more detail about what this token incentive is though, and what mechanism it uses.

3 Likes

This would send a strong signal and these funds are put into good use. I am all for this initiative! In a sense this still allows us to use the DAI in the TreasuryDAO yield farming, but we should not spend the amount?

2 Likes

Thanks @mitchellamador for joining us in here to propose and discuss this. My quick response is that I am for this, I see it as a no brainer. Why?

  • The recent increase in mStable’s TVL and ongoing growth in system complexity (more feeder pools, the upcoming Emissions Controller, more BD collaborations with projects like BadgerDAO increasing visibility of our code etc) means that we should be bulking up our bug bounties anyway. Its probably a separate conversation, but we should consider increasing the current bounty beyond the 100k currently listed on the site, as this initiative is still a while off. mStable Bug Bounties | Immunefi

  • The collaboration with Immunefi thus far has been productive and delivered value to the protocol, with low level bugs being disclosed by Immunefi and promptly squashed by our team.

  • Any token incentives earnt will sit with the TreasuryDAO, adding to our PCV, which is something I’ve been thinking a lot about. I’m personally bullish conceptually on an onchain protocol for bug bounties, and being able to have a say in something like that one day via governance weight could be valuable for the protocol. (making many assumptions here about how the Immunefi protocol would work but I think they are forgivable).

Great to see other Metanauts weighing in with questions, look forward to seeing the responses.

3 Likes

Hi Mitchell,

Thanks a lot for posting this on behalf of Immunefi, and I think this makes a lot of sense.

Having the ability to put these DAI to use, while at the same time creating a really important use case to protect our protocol is a genius idea, and I’m convinced many will follow this innovative trend!

We’ve already ratified this internally, so unless some significant changes happen to this, or any serious opposition be voiced from the community, I’ll take the liberty to post this as a TDP on our forum on the 15th of November 2021 for Meta Governors to vote on.

In the meantime, like @trustindistrust already mentioned, I’d be keen to hear what options the mStableDAO has on allocating these DAI in the ecosystem @mitchellamador, so we can include these options in the vote and save precious time.

Thanks for your feedback everyone. There were a few questions here, so I’ll answer them.

I’d like there to be more detail about what this token incentive is though, and what mechanism it uses.

We haven’t made public the economics yet, but the mechanism is that we will allocate N Immunefi tokens to a reward pool for projects that back their bounties. Tokens will be streamed to projects according to the rank of their bounty relative to the entire pool of bounties.

So mStable, as one of our first partners, is likely to receive a significant share of the initial rewards.

In a sense this still allows us to use the DAI in the TreasuryDAO yield farming, but we should not spend the amount?

Yes, that’s correct. By holding this DAI with us, you would effectively be farming it.

I’d be keen to hear what options the mStableDAO has on allocating these DAI in the ecosystem @mitchellamador, so we can include these options in the vote and save precious time.

As to this question, to start the only option will be with the protocol itself for Immunefi token rewards. In the future, we will make these funds accessible to other money market and lending services, after we have thoroughly reviewed them for security best practices. This will further increase the yield for our users.

3 Likes

Great reading this! I think with MIP 20 being passed, we could transform this into an RFC and create a formal proposal? @mZeroNine

1 Like

Agreed. Done so, and will write up the TDP for this now :ballot_box_with_check:

All for this proposal. I am constantly impressed by @mitchellamador and the Immunefi team. I think being a pilot partner here will send a strong signal that mStable is serious about its bug bounty program. I think it also makes sense from the Asset Management SubDAO perspective as there are token rewards. Looking forward to seeing about this progresses.

1 Like