Summary 📑

Switch the current bug bounty program from V1 over to the new V2 Version of Spool.

Proposal 📬

As the switch from V1 to V2 of Spool is just around the corner adjacent infrastructure and programs have to migrate with it.

Currently, the Spool bug bounty program is still running for V1. Congruent with the protocol switch to V2, the bug bounty program must also be transitioned to incentivise the correct bug-checking behaviour.

The current Spool bug bounty program is focused on our smart contracts and on preventing:

• Loss of user funds
• Loss of treasury funds
• Unable to call smart contract
• Permanent freezing of the funds
• Theft of principal funds
• Theft of unclaimed yield funds

It will continue to function in the very same manner but for the V2 code base of Spool. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.1. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

Rewards by threat level:

Critical 50 000 to 1 500 000 USD High 20 000 to 50 000 USD Medium USD 5 000 Low USD 1 000

You can find more details on the allocation at https://immunefi.com/bounty/spool

Motivation 🔥

With all we do at Spool DAO we thrive for high quality. Without saying, this goes for our underlying smart contract structure and overall code base. But, we all are humans as well, and even more professional eyes are better than less. Therefore, a bug bounty program for identifying risks before they arise is one reasonable approach to keeping the code quality at the maximum.

Vote 🗳

With “Yes” you vote to migrate the current bug bounty program for V1 of Spool over to V2, with “No” you vote against making this transition.