Proposal: Compound Governance Bug Bounty Proposal
Rishabh Krishnan and Annamira O’Toole, Blockchain @ Berkeley
A proposal to ensure auditing of governance proposals and reward users who find bugs.
Background
Governance relies on an engaged community, but one that works well beyond proposal discussion and voting. We see a lack of thorough auditing of new protocol changes to Compound following the Proposal 62 bug, as well as across other DeFi governance platforms. Without higher incentives for protocol changes to be audited, bugs like those introduced in 62 will occur, damaging trust and leaking value from the protocol.
Proposal
We propose a “bug bounty” program for Compound. In particular, the program would have a few different components:
- Each proposal, once it enters the timelock stage, would have a forum category for finding bugs.
- A user who finds a bug, through looking at the proposal code, would post a forum message in this format:
Address of Bug Finder:
Links to affected files:
Explanation of Bug & Instructions to Reproduce Bug:
Potential Impact:
Suggested Steps to Fix:
- If a bug is found in timelock, the community would cancel the proposal and the community multisig could trigger the bug bounty function to distribute treasury COMP to the user who found the bug.
- Finally, the proposal author has its proposal rights temporarily suspended for a period of time (say 3 months) following the discovery of the bug while in timelock. This step is taken to disincentivize foul play where a proposal author includes a bug and tips off another account report it to collect the bounty. This punishment could also be at the discretion of governance (as in, a proposal could veto the punishment in individual cases).
The introduction of the bug bounty program and suggested changes will both facilitate and encourage effective auditing of proposals by both individual community members and professional contract security companies that wish to obtain income from the Compound treasury.
Adversarial Proposals
One obvious failure case of this distribution scheme is malicious proposers; accounts which make proposals where the account knows there is a certain bug, and then recover the bug bounty after it passes. Although this might be a concern, there are a few mitigating factors:
- The proposal would still have to pass the voting stage, and all the scrutiny that comes up there. This alone would weed out any haphazardly put together proposal, and any proposal where the bug was too obvious.
- Most of the accounts that can propose on the Compound protocol are well-known enough in the forums that they wouldn’t be able to “hit-and-run” with the bug bounty without serious reputational damage.
- Along with the previous point, people who can create proposals have a massive interest in the protocol’s wellbeing, so the bug bounty amount is trivial to depreciation in COMP due to bug bounty exploitation.
Bug bounties reward amount:
There should be basic rate per bug (e.g. $100,000 per bug found), though the community could also allocate additional reward in case of especially large bug.