My name’s Austin and I’m a cofounder of Llama. Llama is a contributor DAO which means we’re a collective of engineers, data scientists, quants, researchers, and DeFi specialists who work with the leading protocols and communities.
We don’t view ourselves as a separate entity from the projects we work with. We aim to be a core contributor, active governance participant, and ensure we’re always incentive-aligned with the long-term goals of the DAO. Sometimes community members of the DAOs we work with even end up joining Llama as they become more familiar with us.
The bug bounty program and Llama’s role
We’ve been brainstorming internally for a couple months on how we can best contribute to ApeCoin. This bug bounty program is a critical initiative for ensuring the long-term security of the staking system and aligns well with our skillset.
Although Immunefi will generously offer us full support, their main focus is on being a software provider and vulnerability disclosure platform. As a platform, they require a partner who can process bug reports as they come in, and decide the validity of reports and subsequent bounties. Llama’s role in this process it to:
Write the program overview so whitehats have as much context as possible
Determine what specific impacts are in-scope of the bug bounty program and explicitly communicate which impacts are out of scope
Set the rules for the program to ensure whitehats are acting in good faith and we don’t promote any negative behavior
Review bug submissions and escalate based on severity
Provide a great experience for whitehats by answering all questions and processing successful identifications quickly
Adjust the program if needed
Keep the community updated on the status and effectiveness of the program
Expected timeline
11/10/22-11/24/22: The bug bounty program for the Goerli testnet staking system smart contract goes live. The program will run for 2 weeks.
11/24/22: The staking contract is deployed to mainnet…
11/24/22-12/8/22: Users will have 2 weeks to pre-commit their tokens and NFT for staking.
12/8/22: Bugs will be addressed as they are reported. Assuming there are no critical or high severity findings, the contract will be funded and rewards will begin accruing.
Incentive alignment
We hope this is the beginning of a successful working relationship between ApeCoin DAO and Llama. To show our long-term alignment, if the proposal succeeds we commit to not sell any APE for at least a year and to become an active governance participant in the community.
We will use this topic to keep the community updated as the program progresses and answer any questions!
Welcome to the DAO @austin and thanks for creating an ongoing thread for news and updates on all things Bug Bounty and Llama - I’m presuming that’s what this is🤔.
Look forward to your continued participation in the DAO alongside the work you’ll be doing in the Bug Bounty lane.
Peace SSP - Vote for Me
PS - when you get a moment, please take a quick read at my tip for new DAO members here
Thank you for your introduction of Llama @austin. I am happy to hear of your alignment with the goals of the ApeCoin DAO. Look forward to continued open communication with your group.
Yes exactly, this is for ongoing updates! Thank you for the support everyone.
It’s worth noting that we chatted with @Amplify + other apes on the Ape Comms community hour on Friday. We go into deep detail on Llama and the Bounty Program. Here’s the recording if anyone is interested - https://twitter.com/i/spaces/1RDGlaDZgWlJL
Welcome @austin! Thanks for the introduction to Llama and the updates! Looking forward to your future updates with the Bug Bounty and your continued participation in the DAO
Thanks for the warm welcome everyone! Members of Immunefi, Llama, Horizen, and the ApeCoin foundation have spent this week getting the program ready. Looks like we’re going to launch around 5PM EST tomorrow but I’ll post here if that time changes.
Let me know if anyone has questions in the meantime.
As a reminder the initial version of this bounty program will run for two weeks on an Ethereum testnet. This will allow us to make changes if any vulnerabilities are discovered before launching staking. Once staking launches on mainnet, there will be another bounty program that will last the duration of the staking program.
We’ll keep posting updates on the program throughout the next two weeks and ensure we continue to stick to the timeline mentioned above. Let us know if you have any questions!
@RedVulkan So far we’ve received about 15 submissions! Submission quantity isn’t too important though. It’s more important to surface one critical vulnerability than thousands of minor ones.
This will be especially valuable after the mainnet deployment. Anyone who finds a vulnerability has a clear place to submit it and be rewarded if their effort is credible. This can save a lot of wasted time trying to find where to report and removes the potential risk of disclosing a critical vulnerability to the wrong party. Let me know if that makes sense!
Thank you! That is great info! Agreed, one critical one can more impactful than hundreds/thousands of minor ones. Was just curious about some early metrics. Thanks for sharing!
Sorry one last point I wanted to clarify, when you say “submissions” does this refer to things people believe to be bugs but they will need Llama/Immunefi to review and confirm first?