(Off-chain) PTIP-78: Protocol security bounties and payout

Leighton · July 1, 2022, 6:16pm

PTIP-78

Protocol security bounties

This proposal formalizes the security bounty program paid by the protocol. Furthermore it authorizes PoolTogether Inc as the current acting authority for approving protocol security bounties.

Motivation

Maintaining a perfect security record.

Overview

Before the issuance of the POOL token, PoolTogether Inc established a bug bounty program for the smart contracts making up the protocol. PoolTogether Inc paid out one bounty that met the guidelines established by it.

The bug bounty program continues to exist today but there was never a decision to clarify what entity is responsible for paying the bug bounties post decentralization – PoolTogether Inc or the protocol?

The purpose of this post and vote is to clarify this.

Since the bug bounties are exclusively for the smart contracts that represent the protocol. PoolTogether Inc’s suggestion is that they should be paid for by the protocol (similar to how auditing is). For the time being, PoolTogether Inc can continue to be the vetting point for bug reports.

Our second suggestion is that the grant’s team funds be used to payout the bug bounties. This is primarily because a rapid payout is important to satisfy and incentive more security researchers. It doesn’t make practical sense to do a vote for each bug bounty submitted. Additionally, the frequency of bounty payout is highly varied (we have gone previously gone 1.5 years with no valid bounties submitted).

Specification

Formally establish protocol ownership of the bug bounty program for smart contracts
Authorize PoolTogether Inc has the approving authority for reported bug bounties
Authorize grants committee to payout bug bounties approved

Status

Since this vote does not result in any on-chain action. A snapshot vote has been setup. The same standard requirements will apply (100k quorum & majority in favor).

VOTE:
https://snapshot.org/#/pooltogether.eth/proposal/0xb521b6befc3f5b7125d5ee7378b7e449ce155cbcfd26c0bf2665db13f2a42aae

Torgin · July 1, 2022, 6:30pm

For further clarification:
The bug bounties have already been posted to the DAO’s bounty board (by the bounties team) and there have been 2 bug bounties (both high severity, $25k each) found and submitted over the last month.

PoolGrants has paid out the first one already but wanted to make sure that governance gets to officially ratify that the bug bounty budget now falls under the DAO, not PT Inc., before paying out more bug bounties using treasury funds.

Torgin · July 1, 2022, 6:32pm

I personally support the DAO taking responsibility for the safety of its smart contracts, as they are now controlled by governance.

A bug bounty program is immensely important for any protocol’s security.

Lonser · July 1, 2022, 6:46pm

Thx for the write up @Leighton !

I think everybody is in support of continuing the bug bounty program and I think the amount is appropriate for a high risk security bounty. Formalizing it and making clear that the DAO pays for it through Grants makes sense in my opinion

Tjark · July 4, 2022, 4:34pm

Push! Ends in 11 hours!

Topic		Replies	Views
TBR-Q4-2022 - PT Inc Protocol Team PT Budget Requests Q4-2022	10	853	November 1, 2022
PTIP-14: PoolTogether Grants Committee PT Improvement Proposals	5	2200	May 21, 2021
Proposing a PoolTogether Bounties Team	2	509	April 26, 2022
TBR-Q1-2023 - PT Inc Client Team PT Budget Requests Q1-2023	0	442	December 16, 2022
Vulnerability Disclosure: Twab Rewards 📣 Announcements	1	824	June 1, 2022