This proposal is aimed at harmonizing and upgrading the bug bounty and consists of:
- Getting an approval for the bug bounty critical issue payout, discovered by an Immunefi whitehat in August 2022. The amount is $150,000 + 10% for Immunefi. The same proposal intends to grant ad-hoc power to financial multisig to grant bug bounty payouts in cases when developers overseeing the bug bounty program confirm & fix the issues if presented. That is, to avoid redundant governance voting procedures.
- The bug bounty program for V2 going further should be upgraded in order to adhere to the highest possible security standards. Payouts up to $200,000 USD +.
On August 12.08.2022, all 4 Credit Managers were paused by the pause function - due to a reported bug on Immunefi. That happened quickly after developers confirmed the bug and tested the vulnerability. A week later (inexcusably long pause which should never happen again, especially as the protocol grows) - the fix was made, tested, soft-audited & deployed. The protocol was thus unpaused. Post-mortem is to follow soon, see Discord for more info.
As per the program details set up previously, the payout is:
- $150,000 as CRITICAL ISSUE to the designated addresses confirmed by the whitehat: 0xEab01F3A309f680B08a28B9ED3aFF417ca0E4345
- 10% of that is Immunefi’s fee aka $15,000 to the designated addresses confirmed by the Immunefi team: immunefi.eth
As the DAO now controls the protocols & all its operations, this vote is to approve the payout of the bug bounty as confirmed by the protocol developers. Next to that, the second part of the vote (1.2) is to allow financial multisig to release payments according to the bug bounty structure in cases when developers overseeing the bug bounty program confirm & fix the issues if presented. That is, to avoid redundant governance voting procedures.
As the DAO treasury now has more funds, security spending could be increased in order to reflect the growing complexity of Gearbox Protocol. Current composition is:
Low: Up to $5’000
Medium: Up to $10’000
High: Up to $25’000
Very High: Up to $75’000
Critical: Up to $150’000
NEW Suggested Program:
Low: Up to $5’000
Medium: Up to $25’000
High: Up to $75’000
Critical: Up to $200’000
V1, as currently being unable to open new accounts or borrow more leverage - has very isolated risks, so does not need an upgrade. There are likely only a few weeks up until the end of September left when it would be functional (as the deprecation is already ongoing by Credit Account users). As such, the upgrade only concerns V2 once launched.
As V2 is deployed and is live, developers shall communicate the relevant scope (all protocol aspects) to the Immunefi team & update the protocol docs accordingly. The scope shall stay the same as V1 as well as the rules, while the contracts deployed will naturally be different.
Since we are on the topic of security, there are a few things non-dev community members & DAO contributors might want to point out and discuss. As you can see from the audits & spending, from the bug bounty and open approach - Gearbox previously as a team, and now as a DAO - spends a lot of time, efforts, and capital - on improving protocol security. That is, doing everything humanly possible to secure user funds and prevent hacks. However, no number of audits can ever guarantee full safety. As such, there are multiple concurrent programs live:
- Audits (V2 incoming) for every protocol update or new adapter implemented
- Risk Committee now also assisted by Risk DAO temporarily
- Multisigs with tech-savvy members across the globe and from different social circles, helping cross-check every transaction
- Automatic pause system able to pause (only pause) different protocol pieces
- Live bug bounty on Immunefi incentivizing whitehats
- Transparent communication throughout all updates & decisions (hopefully)
- Etc… please ask and suggest policies to be checked & implemented.
Let’s have this discussion for a few days, and then vote on the snapshot if we reach rough consensus at least on the first point as the whitehat is pending a payment. Other topics suggested can be turned into different proposals in next stages.