Title: Update JBP-42 - JBX Bug Bounty
Author: Nicholas
Date: 2022-06-02
Thesis
Revise JBP-42 to point previously allocated funds (50 ETH) toward a v2-focused Immune.fi bounty.
Abstract
Motivation
The original proposal is outdated and should be clarified with recent protocol development. With the launch of V2, I propose that we execute on the original proposal of developing a bug bounty of 50 ETH through Immune.fi, however updated to focus exclusively on V2 protocol (contracts). The program creates an opportunity for devs who discover bugs in the protocol to report them for a reward proportional to bug severity. Without such a program, devs who find bugs can only be sure to profit by executing exploits.
Risks
- Capital - Juicebox has passed through 2 traditional audits. If there are no bugs, then there is no need for a bug bounty.
- Insufficient size - If a dev finds a bug in V2, they may be motivated to sit on it until a large project raises a massive amount of funds on V2 in the future, when they can exploit it, rather than collecting a portion of the meagre 50 ETH bounty proposed here. Hopefully we can expand the program in future governance proposals to mitigate this risk.
- A bug is exploited in the frontend, and this proposal does not cover frontend bugs
- Implementation details such as which address to send ETH to are left to @Anonymous and @Mr. Goldstein. The proposal could fail or underperform because of this lack of specificity in this proposal.
Specification
Finalize Immune.fi bug bounty sponsorship with 50ETH (<1% of the treasury).
Detailed next steps (from ImmuneFi docs):
- Fill out Immunefi questionnaire (currently waiting to receive)
- Immunefi begins drafting up a bug bounty program based on answers to those questions
- After modifications are done, the process is handed over to Immunefi’s launch specialist
- The launch specialist works with JBDAO to figure out the launch time and bounty PR/marketing details
Fees
- 10% Immunefi performance fee (charged on top of the payout) for vulnerabilities found paid to ImmuneFi
- No upfront cost
- Projects set their own payout amounts
- Pay rewards in your own token/coin
Post launch steps:
- Update ImmuneFi if we find bugs ourselves, as they will be marked as known issues and ineligible for bounties
Measurement of Success:
- This proposal will be successful if a JB v2 bounty for $100k is set up on Immunefi (+ a $10k fee to Immunefi) by the end of July.
Deadline:
If the proposal is not executed by the end of July, revoke allocation of $110k to this proposal. A future proposal may reallocate funds to a similar project.
Rationale
The prior proposal was not executed on V1 and V1.1 and should be updated and executed to secure the V2 launch.
This proposal will be the first time JBDAO creates an official Immune.fi bug bounty. If it goes well, we can consider expanding the program, given that 50ETH (~$85,000 at current price), is a tiny bounty program for securing a protocol that has had over $100 million dollars flow through it already.
The Immune.fi bounty differs from the Code4rena proposal and prior audits in purpose. Formal audits are good for a detailed look at the code. Code4rena are great for mobilising a larger number of devs to work through the code and possibly spot bugs that the small teams of dedicated auditors missed. Immune.fi is a bug bounty intended for post-launch. If someone finds a bug, they can either exploit the protocol, or claim the Immune.fi bounty. Each of these serves a different purpose and this is why they each deserve funding.
Timeline
June 4-30: Coordinate with Immunefi to prepare bug bounty details
July 1-15: Launch bounty (date pending confirmation from Immunefi)
Copyright Disclaimer
Copyright and related rights waived via CC0.