Hi, we at Blockchain @ Berkeley support this proposal and appreciate how clear the duties of OZ will be once they are hired to audit each proposal. We share @getty’s concerns, and look at the pricing from another perspective:
Existing bug bounty programs in the DeFi space offer comparable rewards (i.e., 100-500k) per bug found in existing core contract code, not for auditing individual proposals before they are passed and in timelock.
The time of OZ professionals is very valuable, but would it make more sense to reserve such high per-code-change payments as a bonus for extreme bugs avoided rather than as a baseline, no protocol incidents rate?
We support adding, in addition to the OZ auditing proposal, a bug bounty program like this: www.comp.xyz/t/bug-bounty-program-for-compound-proposals/2590
Curious to hear more folks’ thoughts on pricing for auditing versus finding a bug, especially at different stages in protocol development (proposed vs. timelock vs. deployed code).