Smart contract risk is significant. If errors in contracts are discovered and exploited, this decimates trust in a platform, in some cases irrecoverably. I’m sure everybody is aware of the DAO hack, which completely destroyed the platform. Programming errors in other parts of the platform (e.g. off-chain governance, powerindex ui, etc) can have similar detrimental effects. I propose an all-encompassing bug bounty programme to mitigate this risk and encourage responsible disclosure of bugs.
This proposal is timely as we have recently uncovered a bug in our protocol. The bug affected around 3.2% of the circulating supply of CVP (641,904 CVP) and is one reason that the price of CVP plummeted from $4 on Feb 19th to $2.10 today. We can’t afford another bug like this.
Bug bounty programmes are very common in the technology industry, although they are not yet mainstream for smart contracts. Introducing a bug bounty programme will protect us from future errors and differentiate us from our competition.
The team has already expressed interest in introducing a bug bounty programme:
From this moment we will double audit all our code (it is important to point out that the most important PowerPool code was double audited before) and in some cases run bug bounty. (source)
Let’s move forward with this.
The bug bounty programme should encourage responsible, timely, and comprehensive disclosure of bugs. All reports should include explicit steps to reproduce a bug and not be disclosed to the public until the bug is fixed.
We should denominate bug bounty rewards in CVP to incentivise to act in the best interests of the platform.
In scope products
powerpool.finance, app.powerpool.finance, snapshot.powerpool.finance, powerindex.io, and all associated smart contracts.
Requirements for a responsible disclosure
- Disclosure must be made privately directly to the powerpool team (e.g. by emailing a new email address, [email protected])
- The bug must not be exploited by the discloser except possibly for negligible amounts (and only if this is required to demonstrate the exploit)
- The discloser must not reveal the exploit to anybody except the powerpool team until the powerpool team have addressed the exploit. After this, the discloser is permitted to share details of the exploit, e.g. by writing a blog post, except in exceptional cases requested by the powerpool team on an ad hoc basis
- All disclosures must include detailed steps on how to perform the exploit
- Only the first discloser of a particular bug is eligible for a reward, although the powerpool team may reward subsequent disclosures if they either provide additional information above the first report, or the bug is particularly severe, at the powerpool team’s discretion
Rewards for responsible disclosure
Exploits are divided into categories at the powerpool team’s discretion.
- Note: Exploit with minimal real impact, e.g. cosmetic issues. 50 - 250 CVP
- Minor: Minor impact, e.g. exploits affecting functionality of the products, ability to vote, withdraw, etc. 250 - 1,000 CVP
- Major: Exploits which can be used to access or take money that a user is not entitled to, e.g. exploits which can be used to mint additional tokens without providing the requisite inputs. 1,000 - 10,000 CVP
- Critical: Critical exploits, e.g. the recent bug that in one of our smart contracts. 10,000 - 50,000 CVP[*]
Note: If an exploit can be used to affect users’ funds or the stability of CVP then by definition this is at least a Major exploit.
Bug bounty rewards are not vested owing to their importance.
The MB must vote on and approve any bounty that the team proposes.
[*] I propose that we pre-approve the powerpool team to give rewards of up to 50,000 CVP in these cases, but suggest that for exceptional circumstances an additional proposal is put to the community to provide an enhanced reward for particularly troubling bugs. For instance, given the impact of the recent bug I think the community would have happily awarded a discloser a bounty of 100,000 CVP.
I do not have 10,000 CVP and thus cannot create this proposal under my own name without delegation. If this gets enough support by the community I would be looking for delegates in order to submit the proposal and/or for somebody else to submit it on my behalf.