[BIP-687] Transition of Bug Bounty Program Responsibility to Balancer DAO

Introduction: Since the launch of Balancer v1 in 2020, Balancer Labs has been managing and financing the bug bounty program for the Balancer DAO. With the introduction of Balancer v2, the bounties were significantly increased, further cementing Balancer’s commitment to the protocol’s security. Balancer Labs develops open-source software for the benefit of the Balancer protocol and has never charged the DAO for this work. All fees generated by the Balancer protocol are directed to the DAO; nothing goes to Balancer Labs.

This proposal suggests transitioning the responsibility for the bug bounty program from Balancer Labs to the Balancer DAO as a first step towards making the DAO and the Balancer ecosystem more independent from Balancer Labs.

Current Situation:

• The bug bounty program, hosted on Immunefi, offers up to $1,000,000 for critical vulnerabilities, with rewards based on impact according to the Immunefi Vulnerability Severity Classification System.
• Balancer Labs has funded and managed the bug bounty program for the Balancer DAO since its inception.
• Balancer Labs currently operates without income streams.

Proposal: Starting now, the responsibility for financing the bug bounty program should transition from Balancer Labs to the Balancer DAO. Today a committee composed of Balancer Labsand Beets DAO is responsible for receiving and analyzing bug reports submitted. We propose that Hypernative joins this committee to assist on bug report analysis going forward.

In summary, if this proposal is approved, Balancer DAO will make the payments for any bug bounties awarded by the committee mentioned above. This change aligns with industry standards and ensures the bug bounty program’s sustainability.

Rationale:

1. Financial Sustainability: Shifting the cost to the DAO distributes the financial burden among its stakeholders.
2. DAO Governance: The DAO will control program parameters and budget, aligning with its decentralized governance model. It’s in line with the decentralized governance model for the DAO to take ownership of critical initiatives like the bug bounty program.
3. Protocol Maturity: As Balancer’s protocol matures, it’s suitable for the DAO to operate its bug bounty program.
4. Industry Standards: This move is consistent with how other DeFi protocols manage their bug bounties.

Implementation Plan:

1. Communication: Clearly communicate the transition plan to the Balancer community and stakeholders.
2. Voting: Hold a forum discussion and a vote within the Balancer DAO community on this proposal.
3. Budget Allocation: The DAO should earmark 1,000,000 USDC (currently the highest bounty offered in the program) from the DAO treasury. If smaller bounties are paid, the DAO should top up this earmarked budget so it always has 1,000,000 USDC available. This amount can potentially change if the highest bounty is changed.
4. Bug Bounty Guidelines: Keep the same guidelines used today or define clear procedures for bug submission, evaluation, and rewards, making them accessible to all community members.
5. Bug Bounty Platform: It’s suggested that Balancer DAO maintains the current Immunefi partnership, but another platform could be used to streamline the bug bounty process if decided by the committee.

Conclusion: Transitioning the bug bounty program to the Balancer DAO is a significant step towards decentralization of Balancer DAO. This change will ensure the program’s sustainability and encourage greater community involvement in securing the Balancer protocol.

For more details on the current bug bounty program, visit Immunefi’s Balancer Bug Bounty page.

Technical specification:
1,000,000 USDC will be earmarked by funds from the karpatkey managed safe at 0x0EFcCBb9E2C09Ea29551879bd9Da32362b32fc89. BLabs or the Balancer DAO can request funds for usage of the bounty program and karpatkey ensures transfer of these funds within 48 hours upon request.

I confirm on behalf of Hypernative

This is obviously an important proposal to further strengthen decentralization of our DAO. Given the current treasury situation, however, it would be beneficial to more clearly specify from where the $1mln will be earmarked and how they will be distributed in a bug-bounty case.

Given the current treasury config, the most obvious choice would be to earmark a fraction of the stable positions earmarked by @karpatkey as the liquid treasury stables are usually earmarked to compensate SPs. What are your thoughts on that?

Second that. This is great for the DAO autonomy and authority over the protocol.

Personally, I’d propose an alternative where we could set aside a portion of the bounty allocation in BAL and reassess in another 6-12mo. Reminding the community, we have the BAL allocation for the self-insurance fund for SPs and ecosystem participants, we’d also be keen to revisit.

We are generally supportive of the bug bounty program and recognize its importance for decentralization and security. However, we’re missing specifics on the committee’s responsibilities and budget.

Our biggest concern is the USDC allocation. As @0xDanko and @Xeonus mentioned, the current stablecoin reserves are crucial for maintaining the Treasury’s sustainability. The proposed allocation would impose a burden and reduce financial flexibility. We support changing the budget to BAL tokens to ensure the program’s long-term viability.

@Marcus given the consensus do you also agree that we change this section to the following:

The DAO should earmark 1,000,000 USD equivalent in BAL (currently the highest bounty offered in the program) from the DAO treasury.

I think we need a more refined and final specification section as follows (suggestion):

Upon approval of this proposal, the DAO will earmark 1,000,000 USD equivalent in BAL tokens to the bug bounty program. The tokens will remain in the treasury wallet. Upon successful submission of a bug bounty, the reporting bug bounty entity and the DAO will initiate the release of funds. Release of funds can be either chosen as BAL tokens based on a 30 day moving average price or the treasury liquidates funds to pay out the bounty in full as USDC.

The only final concern I have given this specification is the case where the treasury needs to provide the full amount. On the one hand this gives us the flexibility to pay out the bounty in BAL tokens on the other hand the counterparty wants the reward asap and then this solution is not ideal. Thoughts?

Some comments after reading this proposal, this conversation, and talking to a few folks about it on calls.

1: Earmarking 1 million USD in BAL seems non-specific and hard to act on/maintain.

2: I’m not sure how whitehats think about bug bounties, but I’d be a lot less interested in disclosing something for 1 million USD in BAL. As a whitehat, I’d know the news of me finding a vuln and receiving a bounty would be likely to tank the token price. Have other DAOs been successful with gov token based bounties? How did they work? Were there actual reports that prevented theft of funds?

3: If we are to earmark BAL, I would think we should earmark a specific amount of BAL, assuming that it will be paid out along with a 25% drawdown, and then go back to governance if the amount of BAL earmarked is not sufficient to cover 1.25x our bounty cost to come up with a new plan.

4: If we are to earmark USD for the bounty from the DAO. It seems like it would make most sense to be earmarked from the Karpatkey managed funds. In this case we can be quite sure that 1 million USD will be available for a long time, and Karpatkey can manage earning some ROI off those funds otherwise at rest.

I think this proposal probably needs more discussion, and a bit more thinking about the accountability, interests, roles and responsibilities of various entities engaged with Balancer DAO and/or otherwise working on the Balancer Protocol.

It is worth noting that the Bug Bounty paid by Balancer Labs was a form of vouching for their work with money. While the DAO is engaged in building a protocol that deploys Blabs Code and brings users to it, generating revenue, it does not have any “control” or oversight over blabs. Therefore, it feels somewhat inappropriate to shift the entire bug bounty onto the DAO, without some kind of accountability put into place. Could we perhaps consider splitting this? Blabs earmarks 250-500k, Balancer 250-500k? Are there other ways to handle this accountability?

Does it still make sense to offer a 1 million dollar bounty if that will result in spending 25% of the runway used to fund everyone and everything except blabs? Maybe we should lower it, or at least have a decision about how high bounties should be in the DAO. The current parameters/program was set and managed by Balancer Labs.

It seems to me like this needs more work.

Hello everyone,

I fully agree with Tritium’s four initial points in his latest reply, particularly the fourth option, which seems the most viable.

Regarding the second part of the discussion:

BLabs has been operating without any income from the DAO and has covered significant audit costs amounting to around $635,000 for 2024. This includes expenses for Certora, Spearbit Vciso and Audit, and Trail of Bits. Our last funding was in 2021 when we sold some BAL tokens, and since then, we have refrained from selling any further.

We have reserved funds for the Bug Bounty Program and have consistently earmarked additional funds whenever we paid out bounties to maintain a $1 million reserve. We will use these funds for our operations as we currently have no income, and our runway is not looking good. If we don’t use this $1m we will have to sell BAL soon which we have been trying to avoid at all costs.

Let’s continue this discussion to reach a common ground.

I’m thinking there are two distinct aspects to be considered:

1. Bounties are not to be paid in BAL. They are earmarked in BAL, and paid out in USDC, regardless. The community can choose to sell them to cover stablecoin runway, or spend it in stables if the time comes.

2. It is an unlikely scenario Balancer will need $1mm to be paid. It’s less unlikely however to have minor bounties paid on a more regular basis, meaning the DAO would need these stables at hand.

@Marcus would it be reasonable to set aside $500k USDC, and earmark another $500k worth in BAL, considering the history of smaller bounties paid regularly? If yes, how much we could expect to be spent on this program (annually)? And would you suggest another proportion, rather than 50/50?

After discussions with BLabs, the Maxis, and other stakeholders, we have agreed that the most viable option is to earmark stablecoins from the karpatkey-managed Safe. It’s important to note that this could include any DeFi position in the whitelisted protocols, as per the existing permissions granted to karpatkey. From an operational perspective, we can commit to making the funds available within T+1.

CC:@Marcus @0xDanko @Xeonus

https://snapshot.org/#/balancer.eth/proposal/0x42b309a45d6ce1e946529eaf0d0d9844117d82d4901d550d1c90c34763252f36