[BIP-XXX] Transition of Bug Bounty Program Responsibility to Balancer DAO

Introduction: Since the launch of Balancer v1 in 2020, Balancer Labs has been managing and financing the bug bounty program for the Balancer DAO. With the introduction of Balancer v2, the bounties were significantly increased, further cementing Balancer’s commitment to the protocol’s security. Balancer Labs develops open-source software for the benefit of the Balancer protocol and has never charged the DAO for this work. All fees generated by the Balancer protocol are directed to the DAO; nothing goes to Balancer Labs.

This proposal suggests transitioning the responsibility for the bug bounty program from Balancer Labs to the Balancer DAO as a first step towards making the DAO and the Balancer ecosystem more independent from Balancer Labs.

Current Situation:

  • The bug bounty program, hosted on Immunefi, offers up to $1,000,000 for critical vulnerabilities, with rewards based on impact according to the Immunefi Vulnerability Severity Classification System.
  • Balancer Labs has funded and managed the bug bounty program for the Balancer DAO since its inception.
  • Balancer Labs currently operates without income streams.

Proposal: Starting now, the responsibility for financing the bug bounty program should transition from Balancer Labs to the Balancer DAO. Today a committee composed of Balancer Labsand Beets DAO is responsible for receiving and analyzing bug reports submitted. We propose that Hypernative joins this committee to assist on bug report analysis going forward.

In summary, if this proposal is approved, Balancer DAO will make the payments for any bug bounties awarded by the committee mentioned above. This change aligns with industry standards and ensures the bug bounty program’s sustainability.

Rationale:

  1. Financial Sustainability: Shifting the cost to the DAO distributes the financial burden among its stakeholders.
  2. DAO Governance: The DAO will control program parameters and budget, aligning with its decentralized governance model. It’s in line with the decentralized governance model for the DAO to take ownership of critical initiatives like the bug bounty program.
  3. Protocol Maturity: As Balancer’s protocol matures, it’s suitable for the DAO to operate its bug bounty program.
  4. Industry Standards: This move is consistent with how other DeFi protocols manage their bug bounties.

Implementation Plan:

  1. Communication: Clearly communicate the transition plan to the Balancer community and stakeholders.
  2. Voting: Hold a forum discussion and a vote within the Balancer DAO community on this proposal.
  3. Budget Allocation: The DAO should earmark 1,000,000 USDC (currently the highest bounty offered in the program) from the DAO treasury. If smaller bounties are paid, the DAO should top up this earmarked budget so it always has 1,000,000 USDC available. This amount can potentially change if the highest bounty is changed.
  4. Bug Bounty Guidelines: Keep the same guidelines used today or define clear procedures for bug submission, evaluation, and rewards, making them accessible to all community members.
  5. Bug Bounty Platform: It’s suggested that Balancer DAO maintains the current Immunefi partnership, but another platform could be used to streamline the bug bounty process if decided by the committee.

Conclusion: Transitioning the bug bounty program to the Balancer DAO is a significant step towards decentralization of Balancer DAO. This change will ensure the program’s sustainability and encourage greater community involvement in securing the Balancer protocol.

For more details on the current bug bounty program, visit Immunefi’s Balancer Bug Bounty page.

2 Likes

I confirm on behalf of Hypernative

This is obviously an important proposal to further strengthen decentralization of our DAO. Given the current treasury situation, however, it would be beneficial to more clearly specify from where the $1mln will be earmarked and how they will be distributed in a bug-bounty case.

Given the current treasury config, the most obvious choice would be to earmark a fraction of the stable positions earmarked by @karpatkey as the liquid treasury stables are usually earmarked to compensate SPs. What are your thoughts on that?

Second that. This is great for the DAO autonomy and authority over the protocol.

Personally, I’d propose an alternative where we could set aside a portion of the bounty allocation in BAL and reassess in another 6-12mo. Reminding the community, we have the BAL allocation for the self-insurance fund for SPs and ecosystem participants, we’d also be keen to revisit.

1 Like

We are generally supportive of the bug bounty program and recognize its importance for decentralization and security. However, we’re missing specifics on the committee’s responsibilities and budget.

Our biggest concern is the USDC allocation. As @0xDanko and @Xeonus mentioned, the current stablecoin reserves are crucial for maintaining the Treasury’s sustainability. The proposed allocation would impose a burden and reduce financial flexibility. We support changing the budget to BAL tokens to ensure the program’s long-term viability.

1 Like

@Marcus given the consensus do you also agree that we change this section to the following:

The DAO should earmark 1,000,000 USD equivalent in BAL (currently the highest bounty offered in the program) from the DAO treasury.

I think we need a more refined and final specification section as follows (suggestion):

Upon approval of this proposal, the DAO will earmark 1,000,000 USD equivalent in BAL tokens to the bug bounty program. The tokens will remain in the treasury wallet. Upon successful submission of a bug bounty, the reporting bug bounty entity and the DAO will initiate the release of funds. Release of funds can be either chosen as BAL tokens based on a 30 day moving average price or the treasury liquidates funds to pay out the bounty in full as USDC.

The only final concern I have given this specification is the case where the treasury needs to provide the full amount. On the one hand this gives us the flexibility to pay out the bounty in BAL tokens on the other hand the counterparty wants the reward asap and then this solution is not ideal. Thoughts?