AIP-134: Bug Bounty Program for AIP-21 Updates

My name’s Austin and I’m a cofounder of Llama. Llama is a contributor DAO which means we’re a collective of engineers, data scientists, quants, researchers, and DeFi specialists who work with the leading protocols and communities.

We don’t view ourselves as a separate entity from the projects we work with. We aim to be a core contributor, active governance participant, and ensure we’re always incentive-aligned with the long-term goals of the DAO. Sometimes community members of the DAOs we work with even end up joining Llama as they become more familiar with us.

The bug bounty program and Llama’s role

We’ve been brainstorming internally for a couple months on how we can best contribute to ApeCoin. This bug bounty program is a critical initiative for ensuring the long-term security of the staking system and aligns well with our skillset.

Although Immunefi will generously offer us full support, their main focus is on being a software provider and vulnerability disclosure platform. As a platform, they require a partner who can process bug reports as they come in, and decide the validity of reports and subsequent bounties. Llama’s role in this process it to:

  • Write the program overview so whitehats have as much context as possible
  • Determine bounty rewards and classify their impact based on the Immunefi Vulnerability Severity Classification System - v2.2
  • Determine what specific impacts are in-scope of the bug bounty program and explicitly communicate which impacts are out of scope
  • Set the rules for the program to ensure whitehats are acting in good faith and we don’t promote any negative behavior
  • Review bug submissions and escalate based on severity
  • Provide a great experience for whitehats by answering all questions and processing successful identifications quickly
  • Adjust the program if needed
  • Keep the community updated on the status and effectiveness of the program

Expected timeline

  • 11/10/22-11/24/22: The bug bounty program for the Goerli testnet staking system smart contract goes live. The program will run for 2 weeks.
  • 11/24/22: The staking contract is deployed to mainnet…
  • 11/24/22-12/8/22: Users will have 2 weeks to pre-commit their tokens and NFT for staking.
  • 12/8/22: Bugs will be addressed as they are reported. Assuming there are no critical or high severity findings, the contract will be funded and rewards will begin accruing.

Incentive alignment

We hope this is the beginning of a successful working relationship between ApeCoin DAO and Llama. To show our long-term alignment, if the proposal succeeds we commit to not sell any APE for at least a year and to become an active governance participant in the community.

We will use this topic to keep the community updated as the program progresses and answer any questions!

16 Likes

Welcome to the DAO @austin and thanks for creating an ongoing thread for news and updates on all things Bug Bounty and Llama - I’m presuming that’s what this is🤔.

Look forward to your continued participation in the DAO alongside the work you’ll be doing in the Bug Bounty lane.

Peace :v:t4:
SSP - Vote for Me

PS - when you get a moment, please take a quick read at my tip for new DAO members here

6 Likes

Welcome @austin and thank you for writing this up!

6 Likes

Welcome @austin and Llama team! We look forward to working with you guys! Thank you for keeping us updated going forward. :slight_smile:

5 Likes

Thank you for your introduction of Llama @austin. I am happy to hear of your alignment with the goals of the ApeCoin DAO. Look forward to continued open communication with your group.

5 Likes

Yes exactly, this is for ongoing updates! Thank you for the support everyone.

It’s worth noting that we chatted with @Amplify + other apes on the Ape Comms community hour on Friday. We go into deep detail on Llama and the Bounty Program. Here’s the recording if anyone is interested - https://twitter.com/i/spaces/1RDGlaDZgWlJL

8 Likes

Nice, stick to the plan, let’s make it big in December.

3 Likes

Welcome @austin!! Thank you for the detailed write-up, looking forward to working together :smiley:

4 Likes

welcome @austin to the Apecoin DAO, will look forward to see you and the team increase their participation over time! Glad to have you <3

4 Likes

Welcome @austin! Thanks for the introduction to Llama and the updates! Looking forward to your future updates with the Bug Bounty and your continued participation in the DAO :heart:

3 Likes

Thanks for the warm welcome everyone! Members of Immunefi, Llama, Horizen, and the ApeCoin foundation have spent this week getting the program ready. Looks like we’re going to launch around 5PM EST tomorrow but I’ll post here if that time changes.

Let me know if anyone has questions in the meantime.

11 Likes

Awesome, thanks for the update!

4 Likes

Great to know!! This is the kind of accountability we need.

1 Like

FYI I will still be here to answer questions but we’re going to make official announcements from the @llama account!

5 Likes

Exciting news - the testnet bounty program is live! View the details here: https://twitter.com/llama/status/1590827497377366016

As a reminder the initial version of this bounty program will run for two weeks on an Ethereum testnet. This will allow us to make changes if any vulnerabilities are discovered before launching staking. Once staking launches on mainnet, there will be another bounty program that will last the duration of the staking program.

We’ll keep posting updates on the program throughout the next two weeks and ensure we continue to stick to the timeline mentioned above. Let us know if you have any questions!

12 Likes

Thanks for the updates, Austin. Appreciated.

2 Likes

@austin Is there a dashboard or some kind of way to see how many users are actively participating in the bug bounty?

I realize this might be hard to track, but I’m wondering if there’s a way to tell how many sets of eyes have been on the project? 5? 10? 100? 1000?

5 Likes

@RedVulkan So far we’ve received about 15 submissions! Submission quantity isn’t too important though. It’s more important to surface one critical vulnerability than thousands of minor ones.

This will be especially valuable after the mainnet deployment. Anyone who finds a vulnerability has a clear place to submit it and be rewarded if their effort is credible. This can save a lot of wasted time trying to find where to report and removes the potential risk of disclosing a critical vulnerability to the wrong party. Let me know if that makes sense!

9 Likes

Thank you! That is great info! Agreed, one critical one can more impactful than hundreds/thousands of minor ones. Was just curious about some early metrics. Thanks for sharing!

4 Likes

Sorry one last point I wanted to clarify, when you say “submissions” does this refer to things people believe to be bugs but they will need Llama/Immunefi to review and confirm first?

3 Likes