AIP Idea: Bug Bounty Program for AIP-21

Proposal Name: Bug Bounty Program for AIP-21

Proposal Category: Process

Abstract:

As we near the launch of the ApeCoin staking system outlined in AIP-21 and AIP-22, we propose taking additional measures to ensure the DAO is following smart contract security best practices. This proposal uses treasury assets to fund a 1 million $APE bug bounty program with Immunefi, and partners with Llama to help design, implement, and run operations of these initiatives.

This proposal would go into effect ahead of staking rewards beginning to accrue with AIP-21. The smart contract for AIP-21 is currently live on testnet so the bug bounty program can go into effect shortly after the AIP passes.

This proposal will delay staking rewards by roughly 3 weeks. If this proposal passes, staking rewards would begin accruing on 12/7, rather than 11/14. Though the 3 week delay is unfortunate it is vastly preferable to a security breach as a result of not following security best practices. We believe it is very beneficial for the DAO to approve this program.

Motivation:

We have all seen the headlines around massive protocol hacks. Chainalysis released a report yesterday saying that over $3 billion has been stolen by hackers this year alone (tweet 2, article 2). A couple weeks ago, a vulnerability in the official Binance Smart Chain bridge allowed an attacker to run away with over $100M in stolen funds. Given this staking program uses a new architecture that includes committing NFTs, we believe it is prudent to run a bug bounty program ahead of any rewards being accrued to holders. . Traditional audits can mitigate some of the smart contract risk, but audit contests and bounty programs provide additional layers of security to identify bugs and keep users safe.

AIP-21 is launching soon. The smart contract has already been through at least one audit (link), but we believe a short code4rena audit contest + dedicated bug bounty program is imperative given the expected size of the program (17.5% of APE supply over 3 years).

Rationale:

17.5% of total APE supply will go towards the staking program outlined in AIP-22. Given the significant allocation of treasury resources, we believe an ongoing bug bounty program is a prudent initiative.

The bug bounty program would allow us to incentivize a community of white hat hackers to find potentially costly bugs with the staking program. An ongoing program will allow us to address new vulnerabilities as they are discovered, ensuring APE holders are safe.

The bug bounty program will be funded as long as staking is live, or until the APE requested has been distributed to white hat hackers. Security is an ongoing effort, not a one-time thing.

Specifications:

1 million $APE budgeted for a bounty program for AIP-21.

Implementing a bug bounty program requires upfront setup and ongoing maintenance. This includes:

1. Designing the program specifics. This includes designing the rules and rewards to optimize success. In the interest of time, we recommend Immunefi and Llama be given the flexibility to architect the program specifics.

2. Setting up a team to process reports. We will need to review each bug reported, triage its severity, and escalate as needed. Bugs include minor bugs that are not critical, but still need to be reviewed.

3. The review process will require at least 1-2 engineers (from Horizen Labs’ team) as well as a system designed for escalation as needed.

4. Ongoing maintenance, such as reviewing and adjusting the program as appropriate

5. Operational support in ensuring payout of rewards.

Once the program is designed and live, it will run for 2 weeks prior to the smart contract being deployed. Following the smart contract deployment, there will be a 2 week pre-commitment period for staking as originally intended.

After staking goes live, the bug bounty program will operate in perpetuity, co-managed by Immunefi and Llama. After launch, the program may be adjusted from time to time to ensure the most optimal structure.

Ensuring the right incentives and program structure are critical to have an effective bug bounty program. Immunefi is an industry leader in the space, and has the experience to support and implement this program on behalf of the DAO. Operationally, the DAO will need a representative to coordinate between Immunefi and the Horizen smart contract engineers to operationalize the program. Llama has offered to support the DAO in this effort.

Working with Llama

Llama is a DAO that contributes to leading protocols and communities such as Aave, Nouns, Uniswap, dYdX, Lido, FWB, and Maker. They work on smart contract development, treasury strategies, liquidity incentives, grants programs, and analytics dashboards. Their contributors are among the most active in crypto governance and include engineers, data scientists, DeFi strategists, quants, and accountants.

To run an effective bug bounty program, the DAO needs an experienced team to represent their interests and coordinate between all the different stakeholders… Llama will collaborate with the Immunefi team to design the parameters of the bug bounty program and coordinate between all the different stakeholders. Llama will also be the first point of contact as potential vulnerabilities are reported. Llama will make frequent governance forum posts and host twitter spaces to ensure the ApeCoin community stays informed through this process.

A bug bounty program cannot go live until the DAO has secured funding for the rewards. Given the timeline outlined here, we have requested Llama and Immunefi be given discretion to architect the specifics of the program, using a flat fee at the start and transitioning into a scaling reward paradigm once staking formally begins. The $APE will be allocated as the teams see fit to best drive security outcomes with check-ins every 3 months to share the status of rewards.

Designing and implementing the program will take time and effort but Immunefi and Llama are aware of the community timeline.

Steps to Implement:

Once approved, Immunefi and Llama will sign a grant agreement with the Ape Foundation.

Immunefi and Llama will collaborate to design a program that maximizes efficacy and minimizes time required.

Timeline:

• Voting for this AIP will end 11/3. Llama and Immunefi will have up to 7 days to design and implement the bug bounty program. Bug bounty program will take effect as soon as the parameters and scope are agreed upon.
• The bug bounty program for the Goerli testnet staking system smart contract goes live on 11/10.
• Bug bounty program will run for 2 weeks on test net, to ensure no critical vulnerabilities are surfaced.
• Smart contract is deployed to mainnet on 11/24.
• Users will have 2 weeks to pre-commit their tokens and NFT for staking.
• Bugs will be addressed as they arise, but assuming no critical bugs are found, the smart contract should be funded and rewards begin accruing on 12/7.

Bounty program will remain in place until the earlier of: a) the staking program ending; or b) the prize pool being depleted.

• If and when funds in the bounty program are depleted, the program committee will present a new proposal for further funding.

This proposal will delay staking by roughly 3 weeks. Originally, staking rewards were expected to go live on 11/14. Though the 3 week delay is unfortunate it is vastly preferable to a security breach as a result of not following security best practices. We believe it is very beneficial for the DAO to approve this program.

Overall Cost:

A total budget of 1 million $APE (roughly $4.5 million based on 30-day average $APE price).

Operational costs are minimal, and the majority of the budget will be used to fund prizes for the program.

Bounty rewards will only be paid if bugs are found, and any funds unallocated at the end of the staking period will be returned to the DAO.

The funds requested will be allocated as following:

• Bug bounty rewards can be tiered based on the severity of the exploit, or can be based on % of value at risk. Llama and Immunefi will structure the program within the 1 million $APE budget being requested.
• 10,000 $APE (~$45,000) paid to Llama upfront, for operating the ongoing program on behalf of the DAO. Llama commits to not selling their $APE for at least a year, and plans to use these tokens to actively participate in the ApeCoin DAO.
• 10% performance fee paid to Immunefi on any vulnerabilities discovered (i.e. if a white hat hacker is paid $100,000 for a bug they discovered, Immunefi will receive $10,000)

Definitely a must have before the DAO starts building contracts with major dependencies. In general, great call. The question is, actually how much? A percentage of the treasury? Or does the DAO cap the max reward to ensure it gets a certain number of fixes out of the budget?

the maximum proposed here is 1 million APE which is a very reasonable range given the stakes involved! To be clear this particular AIP is focused only on securing AIP-21 I would agree with you that a general bug bounty program should also be considered. It may make sense to do so for projects of a certain size.

oh ok I thought this was general.
(duh, it says it right in the title)… I blame lack of coffee

You’re not crazy! I updated the proposal to be focused solely on AIP-21. I’d like to try the program out for this contract, and if its successful then I suggest we do a more dedicated program. My initial thought is that a dedicated program will be funded with a fixed amount of APE that will be used by any/all bounty programs that are being run. Every time the pool is depleted, we would submit a new AIP to “re-up” the program.

We could also run bounty programs ad hoc, but this won’t scale well unless we come up with a framework or template for rewards / scope. Would love to hear if anyone in the ecosystem has done something like this.

This is very obviously a great idea.

Selfishly though, I wanted APE staking sooner than later.

Thank you @maariab for consistently putting forth common sense, supportive AIPs.

Great idea! Where the heck was this idea MONTHS ago though? Yet another thing to throw at staking to delay it … smh.

The original AIP for staking includes an audit and QA.

Why not include this then vs after a staking “go-live” date has already been announced.

Hindsight is always 20/20. This definitely should have been proposed months ago, but who is responsible for proposing it? All of us. We are all responsible for not drafting an AIP sooner.

Immunefi - "If you're not using Immunefi, you're not taking security seriously." - Jaynti Kanani, Polygon Co-Founder might be a good option. they have a great reputation and have the resources / know-how to spin up a program pretty quickly while still being effective.

No thanks, as far as I know the staking contracts are audited by professionals already.
Priority shold be to not delay the staking again, the bug bounty program can also be done after the staking goes live without the need of a 5 weeks delay, all the bounties on ImmuneFi are for protocols that are live and running. Btw a similar proposal should have been proposed months ago not 2 weeks before the official date for the staking.

I strongly agree with this point.

This proposal should come up sooner than 14 days before launching the Apecoin staking. This is in preparation for a few months already. We saw quite an unreliability in the form of @Apecoin Twitter communication, which caused a minor hit in trust & reliance on Apecoin Dao communication on their social media channels (Staking Spaces canceled, a new date should be updated shortly, and still after a few weeks we do not have a new date for the Spaces).

Hacks are happening all the time, not only in the last few weeks. I believe that Horizon Labs hired an excellent independent auditor who checked contract safety. I suppose they will publish the contract before the launch for another separate checks as Machi Big Brother proposed.

• It would be nice to have Horizen Labs point of view, if they would vote for that and see it as essential
• It would be nice to see the results of the main auditor’s findings

This is so many important things for many people, who invest their money to be able to be part of Apecoin staking. That we need much more information to agree with postponing, which will cause another bigger price hit for $APE.

On the other hand, I believe, that it is a good idea to have an open bounty program over the whole period of Apecoin Staking. But without delaying the whole thing.

I’m all for doing a big bounty. Also who cares if staking delays a month or so we’re in the middle of bear market.

This timing can’t be serious. A date has already been announced by Horizen.

This proposal should have been done months ago, not 2 weeks before the staking date. There is a serious lack of communication on the entire staking building process.

The contract has been professionally audited. It’s totally fine to have a bug bounty program but it should not delay the all thing again. Let’s open a bug bounty program while ApeCoin staking is live, it will be perfectly fine like this.

And if the staking contract is ready, let’s open it for review during for the 1-2-3 weeks we have before the official date.

We care if we can believe Apecoin’s communications, credibility, and promises to us as a community.
If not, nothing else matters.

Bridges and staking contracts are totally different. Comparing the two is dishonest or just ignorant. If this was needed it should have been proposed weeks ago. The Apecoin Foundation needs to get its act together, this is embarrassing.

“At least one audit” is laughable too. You should know how many audits its had, and that should be communicated prior to this vote.

This is kind of a tough one. I do think it is extremely important to make sure contract is safe but the delays keep stacking up. Do we really need this to be part of an AIP? If Horizon can get the contract published ASAP we can get the eyes of the entire NFT community on this. As far as incentivizing rewards I don’t think a million ape coin is needed, ton of top notch coders within this space will offer assistance without needing that massive of a reward but in order to get the ball rolling on this ASAP we might be able to get some within the community to offer a reward and then we can try to get those people their apecoin back with an AIP down the road if bounty needs to be paid out, even better idea would be having Horizen or one of its connected partners take it on the chin for now and use the AIP process later on to get their ape coin back should a bug be found.

TLDR: Bug bounty does seem essential but figuring out a way to get the ball rolling on it without having to wait for this AIP process to finish out would be hugely beneficial.

If the plan is to launch staking on October 31st ish, I assume the contracts are complete and undergoing audit? Why not release the contracts publicly now so people can take a look if they want. Also if there were to be a bug even after audits, wouldn’t it make sense for Horizen to do damage control since they are the creators?

Although people are angry that this proposal is seemingly late, it’s everyone’s fault that it is, including the people complaining and wanting to move forward without it. Why? This. is. a. DAO. Like @Amplify said. If something goes wrong, it’s all our fault, because everybody has the power to raise this issue. I think we all know there is a real need to pass this regardless of delays, because every precaution should be made to protect the protocol and the brand.

I for one will feel much more comfy putting my money in the staking protocol long term if this passes. We’ve all been waiting on staking, including me, but once it’s here, it’s here! Let’s get it right.

Fyi. Dean from Horizen tweeted that their team will publish the contract and the complete documentation early this week.

I echo this statement. Why are we just now drafting this idea this late in the game? I am really not in favor of delaying staking any further. When AIPs 21/22 passed the vote back on May 4, 2022 there was a projected timeline of 12-16 weeks to get this staking mechanism built out and audited and implemented.

Horizen Labs has stated they are ready to launch 10/31 and there has been an audit performed. I am not opposed to any further bounty programs being ran, but I am heavily opposed to delaying staking any further.

I do think there has been ample time to get this system implemented as we have already delayed once. Now, this draft for further bug bounties to push the staking back at least another 2-4 weeks when we were literally 14 days from target date staking implementation.

I understand the need to get this right, but isn’t that why Horizen Labs was hired to create a robust, quality staking mechanism? I am okay with a bounty program if it doesn’t cause major delays. I think the communication surrounding this should have been way better and the Ape Coin Community shouldn’t be constantly hit with surprises regarding this AIP.

Up to this point, I feel like we have been over-promised and under-delivered with delays and missed target dates. Moving forward I want to see things given a more realistic and true timeline. I’d prefer move along the lines under-promise and over-deliver motto moving forward. This is my honest feedback and as you can tell I have grown increasingly frustrated by the delays, communication, and lack of transparency surrounding these processes.