Proposal: Increase Bancor’s Bug Bounty Payout on Immunefi

This proposal is expected to appear on Snapshot for voting on [date=2021-11-07 time=12:00:00 timezone="UTC"]. Make sure to stake your vBNT for voting before this date and time to participate in the DAO decision.

Summary :

This proposal is seeking to increase the payout for the following vulnerabilities:

critical level vulnerabilities from the current $100K to $250K (plus an additional $50K from armor alliance, $250K is covered by us) high level vulnerabilities from the current $12K to $50K medium level vulnerabilities from the current $4K to $10K

Abstract:

Our current bug bounty payout is severely lagging behind our competitors and we should increase our bounties in order to be more in line with other DeFi protocols. The Bancor protocol currently holds over 1B+ in assets (half of which is protocol-owned $BNT). Increasing our bug bounty should inspire more confidence from our users and potentially drive more deposits into the protocol. More importantly, a higher bounty should attract white hat hackers that could potentially alert us to any vulnerabilities before they get exploited by malicious actors.

The current language for the Bancor bounty on immunefi is the following:

Payouts for Low to High bug reports as well as the first USD 50 000 of Critical bug reports are handled by the Bancor core devs directly and are denominated in USD. However, payouts are done in BNT . For Critical bug reports, the remaining USD 50 000 is paid by ArmorFi under the Armor Alliance Bug Bounty Challenge in ARMOR with a vesting period of up to 24 months.

as compared to the Sushiswap language which is the following:

Payouts are handled by the SushiSwap team directly and are denominated in USD . Payouts worth USD $100,000 and below are done in USDC . Payouts beyond USD $100,000 up to USD 1,000,000 are made in SUSHI , though the first $100,000 can be made in USDC if requested. Payouts above USD 1,000,000 have the remainder paid in ARMOR under the Armor Alliance Bug Bounty Challenge with a vesting period of up to 24 months.

I am proposing the following revised changes:

Payouts are handled by the Bancor core devs directly and are denominated in USD . Payouts worth USD $100,000 and below are done in USDC, USDT, or DAI. Payouts beyond USD $100,000 up to USD $250,000 are made in BNT, though the first $100,000 can be made in USDC, USDT, or DAI if requested. For Critical bug reports, an additional USD $50,000 is paid by ArmorFi under the Armor Alliance Bug Bounty Challenge in ARMOR with a vesting period of up to 24 months.

Motivation:

Below is a comparison between us and sushiswap to get a sense of how far behind we are:

Sushiswap: https://immunefi.com/bounty/sushiswap/

We can also see that Aave has implemented a $250K bounty for severe vulnerabilities that are almost certain to be exploitable:

Aave: https://aave.com/bug-bounty/

Curve follows a similar approach with a payout of $250K for high vulnerabilities that are almost certain to be exploitable:

Curve: https://curve.fi/bugbounty

Our friends at Uniswap have a payout of up to $500K for any vulnerability that leads to the loss of LP funds:

Uniswap: https://uniswap.org/bug-bounty/

Balancer takes this a step higher by offering $2M for critical severity vulnerabilities:

Balancer: https://docs.balancer.fi/concepts/security/bug-bounties

For:

Increase the payout on the following vulnerabilities:

critical level vulnerabilities from the current $100K to $250K (plus an additional $50K from armor alliance, 250K is covered by us) high level vulnerabilities from the current $12K to $50K medium level vulnerabilities from the current $4K to $10K

Against:

Do not change the payout on any of the vulnerabilities