TDP 27 - Immunefi Bug Bounty Program

Simple Summary

It is proposed to participate in Immunefi’s upcoming bug bounty protocol launch, and earmark 100,000 DAI from the Funding subDAO for this opportunity to serve as a bounty while also providing an opportunity to put this capital to use while custodied in the escrow contract.

Abstract

Immunefi has been supporting mStable’s bug bounty program for more than 6 months and is now upgrading their core product offering to include tokenized protocol governance, and a more capital efficient way to use these bounties.

mStable would therefore like to participate in this new bug bounty product offering and allocate 100,000 DAI to be put in escrow and have custodied by Immunefi.

The underlying collateral will then be used to generate yield, and in case of a found vulnerability, be used to reimburse the bug reporter.

Motivation

Immunefi is the leading protocol in DeFi bug bounties and long-established Partner for mStable, protecting over $80b in user funds across protocols like Yearn, Polygon, Sushiswap, Nexus Mutual, Compound, Synthetix, Arbitrum, Pancakeswap, and 170+ more. Immunefi has prevented over $2 billion USD in direct theft to its partners to date, and far more than that in aggregate in economic damages.

Immunefi is building a first-of-its-kind bug bounty protocol to maximise incentives for hackers to disclose critical vulnerabilities to projects.

Today, trust remains a major problem for hackers in DeFi. While some hackers trust Immunefi to secure their interests if they report valid vulnerabilities, others adopt a hack first, return funds later approach to ensure they are compensated according to the value of the vulnerability they discovered.

Immunefi will end this trend by providing unbreakable trust assurances to hackers that they will be compensated for finding vulnerabilities. This will further increase the security of participating projects by increasing incentives to disclose vulnerabilities.

To provide these trust assurances, Immunefi has built an onchain protocol for participating projects to escrow funds, and a council of experts to guarantee that hackers are treated fairly. This council will have the power to disburse funds according to the terms of a projects bug bounty program.

Specification

What Immunefi will require from mStable

  • Agreement to earmark and deposit funds equal to the maximum critical bug bounty ($100,000 in DAI today) in Immunefi’s onchain protocol.
  • No further action is then required; the program will be run and managed according to mStable’s existing program rules, policies, and bug disclosure specifications.

What Immunefi will provide to mStable

  • Immunefi will inform the mStable core team when the protocol is fully ready for launch, and provide deposit instructions to the team. The ETA for this is during Q1 2022.
  • mStable will receive hands-on support from Immunefi team members for launching its onchain integration to ensure smooth onboarding.
  • As a pilot partner, mStable will receive token incentives for being among the first users of its onchain protocol, with specific reward numbers to be shared with the mStable team at a future date.

Next Steps

Pending no significant changes to its content, this proposal will be taken to snapshot vote on Monday, 6th of December 2021. Voting will be open for a 5 days window to give adequate time for a concurrent discussion. Governors can change their vote at any time should the discussion sway their decision. We look forward to hearing what MTA token holders have to say and seeing how they cast their votes.

1 Like

If I understand, if no vulnerability is found then no payment will be made. I’m confident in the strategies mStable provides and know that the code is written with security in mind. Despite not having any concerns, this is the right thing to do. It is an important part of the ecosystem. And it is an additional way to make the protocol more secure in the case any vulnerability does exist.

1 Like

Fully in support, a no-brainer imho.

2 Likes

Echoing Dimsome above, also in full support of this.

1 Like