AIP-155: Should we fund an ongoing bug bounty program for all AIP’s that introduce security risk?

Abstract:

AIP-134 recently requested budget to support the set up of a bug bounty program for the staking system. This proposal suggests we expand the budget and timeline + build a process that supports all future AIPs who’s ongoing operation poses risk to ApeCoin community members. We propose using treasury assets to fund a 1 million $APE bug bounty program with Immunefi, and partner with Solidity.io to help design and implement the program + onboard new AIPs as they launch.

This proposal would unlock the first $20,000 $APE immediately to fund Solidity.io costs for program set up, and the rest made available at program launch to fund white hat hackers until depleted. At this point the community can draft a second proposal to continue funding.

We believe it is very beneficial for the DAO to approve this program since the absence of this infrastructure and process leaves the DAO with only two options:

1. Every new AIP must create a second AIP to request additional bug bounty funding which poorly allocates hacker rewards at scale.
2. Accept the security risk.

Motivation:

We have all seen the headlines around massive protocol hacks. Chainalysis released a report yesterday saying that over $3 billion has been stolen by hackers this year alone (tweet 2 6, article 2 4). A couple weeks ago, a vulnerability in the official Binance Smart Chain bridge allowed an attacker to run away with over $100M in stolen funds. Given that many new AIPs introduce smart contract risk we believe it is prudent to run a bug bounty program that’s available to all future AIPs to tap into. Traditional audits can mitigate some of the smart contract risk, but audit contests and bounty programs provide additional layers of security to identify bugs and keep users safe.

AIP-134 recently secured budget and set a process to secure the staking contract, but as we prep to launch the ApeCoin marketplace I personally want to ensure the same level of security for the community. Because we’re a start up with limited funding we can’t fund massive rewards on our own, and others will face this exact problem in the future so we want to set this up for future proposals as well.

Rationale:

The bug bounty program would allow us to incentivize a community of white hat hackers to find potentially costly bugs with the future AIPs. An ongoing program will allow us to address new vulnerabilities as they are discovered, ensuring APE holders are safe.

The bug bounty program will be funded as long as funds remain and funds are only paid out when vulnerabilities that meaningfully reduce community risk are discovered and addressed.

Specifications:

1.5 million $APE budgeted for a bounty program.

Implementing a bug bounty program requires upfront setup and ongoing maintenance. This includes:

Designing the program specifics. This includes designing the rules and rewards to optimize success. In the interest of time, we recommend Immunefi and Solidity.io be given the flexibility to architect the program specifics.

Launching the program. Communicating the program to the broader ApeCoin ecosystem at launch to explain severity levels, rewards, and rationale for how the program was constructed.

Adding new partners. Onboarding new AIPs that expose ApeCoin community members to smart contracting risk as they launch leveraging the established system.

• As part of this Solidity.io will be responsible for onboarding new vendors along side Immunefi and defining budget and payouts for the AIP-specific BBP.

Community comms on payouts. Sharing updates on payouts from the bug bounty program on a quarterly basis.

Ongoing maintenance, such as reviewing and adjusting the program as appropriate

Operational support in ensuring payout of rewards.

Once the program is designed and live, the bug bounty program will operate in perpetuity, or until funds are depleted, co-managed by Immunefi and Solidity.io . After launch, the program may be adjusted from time to time to ensure the most optimal structure.

Ensuring the right incentives and program structure are critical to have an effective bug bounty program. Immunefi is an industry leader in the space, and has the experience to support and implement this program on behalf of the DAO. Operationally, the DAO will need a representative to coordinate between Immunefi and the Horizen smart contract engineers to operationalize the program. Solidity.io has offered to support the DAO in this effort.

Working with Solidity.io

Solidity.io is a full-stack Web3.0 solutions firm and product incubator focused on providing blockchain development services, smart contract solutions, and audits. Solidity.io is run by MAYC and ApeCoin DAO member Alex McCurry.

To run an effective bug bounty program, the DAO needs an experienced team to represent their interests and coordinate between all the different stakeholders… Solidity.io will collaborate with the Immunefi team to design the parameters and payouts for the bug bounty program and coordinate between all the different stakeholders through implementation at which point AIP authors will be responsible for managing communication with hackers as requests come in.

Steps to Implement:

Once approved, Immunefi and Solidity.io will sign a grant agreement with the Ape Foundation.

Immunefi and Solidity.io will collaborate to design a program that maximizes efficacy and minimizes time required.

Timeline:

When this AIP is approved, Solidity.io and Immunefi will have up to 30 days to design and implement the bug bounty program. Bug bounty program will take effect as soon as the parameters and scope are agreed upon.

AIPs will be onboarded from there starting with the ApeCoin Marketplace built by Snag Solutions. The program will run from there with new AIPs onboarded as they’ve been audited and meet requirements for risk (in $$) necessary to justify bounties for their product.

Bounty program will remain in place until the prize pool is depleted. If and when funds in the bounty program are depleted, the program committee will present a new proposal for further funding.

This proposal will not delay the launch of the ApeCoin marketplace.

Overall Cost:

A total budget of 1.5 million $APE (roughly $4.5 million based on 30-day average $APE price).

Operational costs are minimal, and the majority of the budget will be used to fund prizes for the program.

Bounty rewards will only be paid if bugs are found, and any funds unallocated at the end of the staking period will be returned to the DAO.

The funds requested will be allocated as following:

Bug bounty rewards can be tiered based on the severity of the exploit, or can be based on % of value at risk. Solidity.io and Immunefi will structure the program within the 1.5 million $APE budget being requested. All budget not listed below will go directly to white hat hackers.

1. 20,000 $APE (~$60,000) paid to Solidity.io upfront, for operating the ongoing program on behalf of the DAO.

• 20,000 $APE annually for each year the program runs with the first year paid 6-months following launch and every 12-months after.

2. 10% performance fee paid to Immunefi on any vulnerabilities discovered (i.e. if a white hat hacker is paid $100,000 for a bug they discovered, Immunefi will receive $10,000)

I need to read back through this to look at the details closer but just wanted to pop in quickly and say yes I think having funds set aside for future bug bounties is a great idea. Love the proactive approach @zheerwagen!

I support the idea overall. It is better to allocate funds to continuous bug bounty for all related projects than just one project. Security is critical for all members. It’s good to see that all smart contract related AIPs are equally treated.

In AIP-134, Immunefi and Llama were chosen and in your proposal are Immunefi and Solidity. Why not keep using the parties in AIP-134 and ask them to do the continuous job? We’ve already allocated 1M $APE to the bug bounty. I think it’s more reasonable to use that fund for future bounties because those funds are highly unlikely to be used up for the staking bounty.

Plus, I think for this kind of long-term project, using dollar amounts for annual grants makes more sense than using $APE. The $APE price could change dramatically in 2 years and those numbers could be much larger (or smaller) by then.

Agree with Chris here. Also setting funds aside to increase the overall security of the project with dollar bounties would be helpful!

This is an excellent idea @zheerwagen, thank you for putting this together and sharing with the community. I’m 100% behind this initiative.

Recent events have clearly shown a need for this sort of a program. I do wonder if there isn’t a way to create a platform similar to ImmuneFi, powered by ApeCoin. Specifics there aren’t within the scope of the discussion, but I think if others are looking into this conversation, it’s worth considering that this could be a sort of “public good” we could create within the ApeCoin ecosystem. I would image we would create many opportunities within the APE community in doing so, with roughly the same budget.

Since this program is what we’ve got on the table right now , and I appreciate the network effects of collaborating with these preexisting platforms, I’m in favor here.

-Lost

Thanks for the feedback!

I chatted with Llama and they didn’t have bandwidth to support + will already deplete the ‘staking bug bounty set up’ funding set aside in the other proposal. In this proposal we’re asking the proposal authors to do the job of managing the program ongoing which is what they’re doing for Horizen in that case.

I love the concept of pulling funds from the same pool separate of the set up component which Lllama is already depleting as part of the other proposal, but don’t think I’m actually set up to request that based on how the other proposal is drafted.

I will mention on this that I also chatted with Boring Security about running this and they didn’t feel they had the bandwidth to manage effectively.

If bandwidth improves in the future I’d be a huge proponent of a DAO run program like this!

Hi @zheerwagen,

Your topic will be automatically closing in less than 24 hours. Are you content with the feedback received, or do you wish to extend community discussion for a further 7 days?

If we do not hear from you within 48 hours after your topic closes, your topic will be moved straight to the AIP Draft process.

We look forward to hearing from you.

-Escape

Hi @Escape - Yes, I’m happy with feedback received, but if at all possible would love to skip the AIP Drafts process on the basis of the risk presented by not moving this through to a vote as quickly as possible.

This was drafted based on the initial proposal from @maariab, and if at all possible would love to move at the same expediency in order to get to a vote as quickly as possible.

Is that at all possible given the circumstances?

This topic was automatically closed after 7 days. New replies are no longer allowed.

Thank you @zheerwagen for your ideas and the ApeCoin DAO community for the thoughtful discussions. A moderator will get in touch with the author to draft the AIP in the appropriate template. Once the AIP is drafted and meets all the DAO-approved guidelines, the proposal will be posted on Snapshot for live official voting at: Snapshot

Follow this Topic as further updates will be posted here in the comments. @zheerwagen please see your messages for the next steps.

-moonkt

Hi ApeCoin DAO Community,

@zheerwagen has completed editing their AIP Idea to be their AIP Draft.

Follow this Topic as further updates will be posted here in the comments.

Kind Regards,

-Pearson

Hi ApeCoin DAO Community,

We have sent a list of initial questions to the author

Follow this Topic as further updates will be posted here in the comments.

Kind Regards,

- river