Bug Bounty Program for Compound Proposals

Proposal: Compound Governance Bug Bounty Proposal

Rishabh Krishnan and Annamira O’Toole, Blockchain @ Berkeley

A proposal to ensure auditing of governance proposals and reward users who find bugs.

Background

Governance relies on an engaged community, but one that works well beyond proposal discussion and voting. We see a lack of thorough auditing of new protocol changes to Compound following the Proposal 62 bug, as well as across other DeFi governance platforms. Without higher incentives for protocol changes to be audited, bugs like those introduced in 62 will occur, damaging trust and leaking value from the protocol.

Proposal

We propose a “bug bounty” program for Compound. In particular, the program would have a few different components:

1. Each proposal, once it enters the timelock stage, would have a forum category for finding bugs.
2. A user who finds a bug, through looking at the proposal code, would post a forum message in this format:

Address of Bug Finder:

Links to affected files:

Explanation of Bug & Instructions to Reproduce Bug:

Potential Impact:

Suggested Steps to Fix:

3. If a bug is found in timelock, the community would cancel the proposal and the community multisig could trigger the bug bounty function to distribute treasury COMP to the user who found the bug.
4. Finally, the proposal author has its proposal rights temporarily suspended for a period of time (say 3 months) following the discovery of the bug while in timelock. This step is taken to disincentivize foul play where a proposal author includes a bug and tips off another account report it to collect the bounty. This punishment could also be at the discretion of governance (as in, a proposal could veto the punishment in individual cases).

The introduction of the bug bounty program and suggested changes will both facilitate and encourage effective auditing of proposals by both individual community members and professional contract security companies that wish to obtain income from the Compound treasury.

Adversarial Proposals

One obvious failure case of this distribution scheme is malicious proposers; accounts which make proposals where the account knows there is a certain bug, and then recover the bug bounty after it passes. Although this might be a concern, there are a few mitigating factors:

1. The proposal would still have to pass the voting stage, and all the scrutiny that comes up there. This alone would weed out any haphazardly put together proposal, and any proposal where the bug was too obvious.
2. Most of the accounts that can propose on the Compound protocol are well-known enough in the forums that they wouldn’t be able to “hit-and-run” with the bug bounty without serious reputational damage.
3. Along with the previous point, people who can create proposals have a massive interest in the protocol’s wellbeing, so the bug bounty amount is trivial to depreciation in COMP due to bug bounty exploitation.

Bug bounties reward amount:

There should be basic rate per bug (e.g. $100,000 per bug found), though the community could also allocate additional reward in case of especially large bug.

This would be a great supplement to the existing OZ Proposal and would also incentivize community members to stay active in the Bug Bounty Process. Though OZ will likely catch the vast majority of bugs, we should have a bug bounty in place for the community in the governance process to ensure contributions towards safeguarding the protocol but community members are well-rewarded.

Hi,

I am writing to check if this is still open. We would like to submit a proposal to offer a solution.

Regards

Not sure how exactly can the community pitch in to reward? Can you explain this

Well yeah
If the OGs are gonna catch all the bugs , there should be a separate one for the community / new members

MakerDAO just created a parntership with Immunifi that might have some processes to be considered here.

Still reading it myself but sharing here for others to take a look.

Hey, Rishabh from Blockchain at Berkeley here. We were the initial authors of this post, and after talking it over with the OZ security team, we think a partnership with Immunefi is definitely an option. We’d love to get more community feedback on any of the parameters mentioned in the proposal though. @Parimal Would love to talk more about combining proposals as well!

Hey @Rk2357 - let us get on a call to discuss more about it. What time and date works for you?

Definitely agree with this!