Immunefi Bug Bounty Program for Compound Finance

Summary:

We propose to further develop the existing bug bounty program for Compound and host it on Immunefi’s platform. Doing so will provide access to our industry-leading security researcher community and will provide greater long term security that benefits Compound and its community.

Given the fast-moving industry we are in, exploits on vulnerabilities are always inevitable.

A bug bounty program is essential for the swift identification and remediation of vulnerabilities. They essentially invite the entire world to review your code and report vulnerabilities in exchange for a reward, instead of suffering an exploit. This also gives blackhats the option of getting clean money instead of having to deal with stolen funds. Unlike audits, payments to security researchers (SRs) are not made until a valid bug report has been found. So, with bug bounty programs, if SRs don’t find anything, they don’t get paid.

Background to Immunefi

Immunefi is the largest onchain security platform for Web3 projects. Immunefi delivers effective bug bounty programs that deliver results, and 8x more vulnerabilities are found on Immunefi compared with alternatives. Immunefi has prevented over $25B of funds from being lost to hacks and currently helps protect over $190B in user funds.

We specialize in surfacing the most mission-critical smart contract and blockchain vulnerabilities before they can be exploited, and our entire product is built around serving this need. Today we work with leading projects including MakerDAO, Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, Starknet, Eigenlayer, and many, many more (Immunefi’s Explore page). We have one mission: to protect Web3’s most important projects from getting hacked.

We propose a maximum reward of 1,000,000 USD for the Compound bug bounty program for the most critical impacts. Reward amounts will be adjusted depending on the impact as well as the volume of funds at risk, if relevant. The validity of the bug report will not be determined by Immunefi, but rather Compound Labs in conjunction with OpenZeppelin. The Immunefi mediation team will, however, be available for assistance wherever there are any issues in any bug report.

Immunefi will filter all spam and low-quality reports, and will manage other initial engagements with the security researcher.

To minimize the workload in reviewing bug reports, Immunefi will also be providing its Guardian Plan. This plan provides 24/7 coverage for all bug reports submitted to the program, whereby the Immunefi triaging team would review all bug reports submitted and only escalate those deemed necessary for further review.

The total cost for the first year for this service will be 57,500 USD, payable in COMP. The pricing has been discussed during the initial launch of Immunefi’s subscription model, and was grandfathered into an older pricing structure.

Purpose:

The goal for Compound’s bug bounty program with Immunefi is to leverage our community of Web3 security researchers to protect Compound’s critical infrastructure and thus its community. Our SR community is composed of tech CTOs, smart contract engineers, and auditors, all of whom would be exposed to the Compound bug bounty program.

In the past, SRs would have to submit a bug report directly to Compound Labs according to the rules set out here. However, it was mentioned on the forums that there was a desire to further improve the bug bounty program. With Immunefi, not only would we help to improve the bug bounty program and utilize our experience and expertise to reduce ambiguity, but we would also give structure to this process by having security researchers report through our platform, and having it triaged by our team.

History of Immunefi and Compound’s collaboration

Immunefi hosted Compound Labs’ bug bounty program in 2021. The reason this partnership was paused was due to the volume of spam reports that Compound Labs received. As this was early in Immunefi’s history of operations, we were unable to adequately address these needs. Today, we can say confidently that this will no longer be the case. The section below explains how the proposal will include our managed triage service. This will filter all spam reports, and be able to provide quality reports to the bug bounty administrators, saving time for the internal team to focus on the most important findings

Proposal Structure:

This proposal consists of two key aspects: Immunefi Bug Bounty Program for Compound Finance and subscription plan.

Immunefi Bug Bounty Program for Compound Finance

Immunefi will work with OpenZeppelin and Compound Labs’ technical and product teams to develop a comprehensive bug bounty program that covers any on-chain assets. Immunefi will also seek guidance and feedback from the OpenZeppelin team (who is in support of a robust bug bounty program after a recent report affecting the Comet Base WETH market) to ensure that the bug bounty program aligns with the Compound DAO’s security and product initiatives. The bug bounty program will have to be approved by both Immunefi and the Compound DAO by formal governance proposal before being launched.

Guardian Plan

This subscription plan will include our Expert Assessment Managed Triage Service. Expert Assessment MTS is the highest level of triaging service we can provide to our clients. This will allow our triage team to cover incoming reports 24/7 and filter out spam reports, giving the Compound Labs team to focus more on internal development.

Our triage team will assess the impact, asset and provide a full technical review of a bug report in detail. They will also work with the SR to ensure the completeness and correctness of the report before it is escalated; along with a preliminary technical assessment on the report prepared and delivered to the respective stewards of the bug bounty program. This plan will also include an extensive co-marketing effort between Immunefi and Compound Labs team.

Both marketing team’s will coordinate the community outreach during the launch of the program. We will also provide the opportunity to host a Twitter/X space with both teams, and also help with a dedicated blog post. The goal of the co-marketing feature is to help notify the SR community about Compound’s program, and also help communicate to current and future Compound investors about the importance and confidence of security.

Safe Harbor

As of July 2024, Immunefi has launched Safe Harbor; a legal framework developed by the Security Alliance (SEAL) for protocols to empower whitehat security researchers to rescue protocol funds during a blackhat attack and redirect those funds back to a protocol-controlled Vault on Immunefi in exchange for up to 60% of the project’s max critical reward.

Safe Harbor provides projects with a secure solution for whitehat recovery of funds on your protocol only during active blackhat exploits. Immunefi’s implementation of the Security Alliance’s robust Safe Harbor framework, coupled with our extensive security community, provides a solution that integrates with Compound’s bug bounty infrastructure. This ensures that our top-tier security researcher community has a credible and safe channel for returning funds when other security measures fail.

Safe Harbor can be activated by the bug bounty program administrators once the program is live through Immunefi’s dashboard and included in the packaging.

Rewards and Severity Level Classification:

We propose the following reward breakdown for the severity payout to whitehats:

• Critical: $50,000 - $1,000,000
• High: $10,000 - $50,000
• Medium: $5,000
• Low: $1,000

The severity classification system will be impact-based and will largely reference the latest Immunefi Severity Classification System. This impact-based system will streamline bug reports being submitted and classify them accordingly. However, the bug bounty program will only cover all EVM smart contracts of Compound.

Ranges of rewards are applied to Critical and High level impacts. This will generally be based on the funds at risk, though other factors will be considered as well. We have determined these scaling systems based on our experience in order to achieve satisfaction from both our clients and security researchers. However, adjustments will be made as we work to finalize the bug bounty program with Compound Labs and OpenZeppelin.

The breakdown is based on our current client roster and looking at where Compound is in the rankings of CMC, Coingecko, and DefiLlama. At minimum, the community should consider the critical reward payout to be $1,000,000. The program will be able to payout the reward in COMP. The reward suggestion above is based on the top tier DeFi lending protocol on our platform such as MakerDAO, Sparks, AAVE, and Morpho. With a $1M critical, we would expect a project to receive an average of about 75 reports for the year.

The cost to Immunefi will be a fixed yearly fee, with no other costs from Immunefi. The subscription fee that we would recommend for a project like this would be our subscription plan at a cost of $57,500 for the year. The subscription fee will be sent to Immunefi directly.

Process and Timeline:

If approved with this initial step, we will put together a draft bug bounty program draft with our recommendations, and ask for Compound’s input and feedback, which will form part of the full governance proposal. After the bug bounty draft and the overall proposal is approved by all parties, we will move into the launch phase, in which we will discuss launch logistics and marketing activities, includingTwitter spaces, blog posts, and Tweets, etc.

Bug Report Review and Validation Process

All bug reports that pass through Immunefi will be reviewed by the respective stewards of the impacted asset or assets. This will include the investigation of the potential impact of the execution of the bug being reported, as well as determining the appropriate severity level based on the highest direct impact resulting from the exploit, all while keeping in mind the rules and parameters set by the bug bounty program. If desired by the respective stewards, the mandated security auditor of the Compound DAO and Open Zeppelin, may be added to the respective bug report for further investigation. If necessary, the Immunefi mediation team will also be able to assist in mediating issues arising from the review of the bug report and/or communications with the security researcher.

Fixes for Reported Bugs

Though Immunefi considers any processes around fixing the bug report to be outside the consideration of payments, it is understood that this needs to be accounted for in a DAO environment. Specifically, fixes may take more time to be implemented, and need to be fully deployed before payouts can be made due to the payment process being more transparent with DAO processes. For example, if a payout process is initiated while a bug still has not been fixed, it may provide enough information for one or more people to find the vulnerability and exploit it. Because of this, payments may be delayed until a discovered bug has been appropriately addressed.

Bug Report Payment Process

Immunefi has a requirement that all bug reports are paid within 14 days of confirmation. However, given the extensive DAO proposal process, all validated bug reports will be grouped into a proposal at the end of each calendar month to reduce the burden on the DAO, as well as to streamline reporting for the bug bounty program. This monthly proposal will go over each bug report due for payout and explain the impacted asset or assets, the severity level, and the actions being taken by the respective people and entities mandated by the DAO.

What Success Looks like/Measurable Results:

Success on the Immunefi platform means ensuring that Compound does not become part of the hacked project statistics. If we find vulnerabilities, it ensures greater security. Creating a successful bug bounty program means protecting Compound, while the security researcher gets paid in return for their expertise. We expect the average of 20-30 reports per month in the first 3 months, but have seen up to 50+ during this time in comparable programs. Over a year, we expect 75+ reports.

Measurable results equate to quality reports being submitted by our security researcher community. These reports are not public and only known within Compound Labs, OpenZeppelin, and a very select few from Immunefi. Nearly 95% of projects make a payout in the first year, with 50% in the first month after launch, demonstrating that speed that projects experience value from Immunefi. Overall paid reports range from 4.6 to 13.8, and can go up to 25 per project. Out of these, critical paid reports range from 1.5 to 4 per year, and the high paid reports range from 1.5 to 3.84 per year.

The success of this proposal would be measured by:

1. Number of Critical or High severity bug reports submitted
2. Number of valid bug reports resulting in a payout
3. Potential impacts prevented in terms of TVL at risk
4. Total number of bug reports submitted

Consultative Members Involved:

• Immunefi - Joe Suzuki - Senior account executive
• OpenZeppelin
• Compound Labs

Thank you to Compound DAO for taking your time to read through our proposal for Compound Finance’s bug bounty program with us at Immunefi. I also like to thank the OpenZeppelin and Compound Labs team for providing us the resource to create this proposal. I look forward to the feedback from the community and hoping to provide the “last line of defense” to Compound’s security stack.

I’ve been involved in giving Immunefi feedback on their proposal as the DAO’s Security Advisor. As always, OpenZeppelin remains neutral on the selection of new service vendors to the DAO but we do believe a managed bug bounty platform is crucial given the experiences with the payout of the griefing bug report last year.

There are a few things I want to highlight in the proposal for the community’s awareness:

• Per our original partnership proposal, OpenZeppelin is not directly responsible for managing bug bounties for the Compound DAO. However, we have often assisted with bug bounty reports submitted to Compound Labs’ program upon request and we have been directly involved in responding to live issues reported, both as the protocol’s auditor to review fixes and as a member of the Pause Guardian multi-sig to potentially pause the protocol. We would continue to serve in these roles if Immunefi’s proposal is accepted.

• The inclusion of the Managed Triage service in Immunefi’s Guardian plan would be incredibly valuable to cut down on spam submissions and ensure that Compound contributors are only involved in reviewing submissions with a high likelihood of real impact.

• I’ve personally been involved with the Security Alliance’s creation of Safe Harbor in which protocols can offer legal protection to whitehats who aid in the recovery of assets during an active exploit. I do believe that the circumstances of when whitehats can perform an exploit should be limited to very specific circumstances such as front-running a malicious exploit transaction that has been submitted to the mempool and there’s no other option left to stop the attack.

• It’s important to note that any bug report that has been validated will be paid out from the COMP Treasury through a DAO governance proposal. Given the prior experience of processing the payout from the Griefing Bug, its important that the community be aligned with the process that Immunefi has set forth so that expectations on severity levels and rewards to be assigned for a valid bug are clear and DAO delegates can vote in support of payouts with clear criteria.

I invite other community members and delegates to please share their feedback on the proposal details such as the Rewards breakdown, bounty processes, and other terms proposed by Immunefi. With this feedback, Immunefi can more forward with an on-chain proposal to implement a bug bounty platform and improve the protocol’s overall security preparedness.

A strong bug bounty program is crucial, I’m always scared my deposits will get stolen.

But 57.5k seems like a ripoff. This isn’t a government organization and extreme overspending should be avoided.

This service should be worth a lot less, I’d suggest offer them $25k.

Feel free to reply with why I’m wrong, I generally have no knowledge about this so I easily could be.

We support the proposal to establish a bug bounty program for Compound Finance through Immunefi. The cost structure, including rewards up to $1M for critical vulnerabilities, is reasonable given the potential risks involved. Immunefi’s reputation as a leader in Web3 security, combined with their unique vulnerability severity classification system, ensures that all threats along the spectrum are considered with the most serious threats addressed promptly and properly rewarding those who discovered them to be able to come back and continue their great work. Diversifying security efforts through Immunefi and OpenZeppelin also significantly enhances the overall security posture of the protocol, leveraging broader expertise to safeguard Compound’s assets and users effectively.

We’ve had time to thoroughly review this proposal and are in favor of this proposal. Notably, matching Aave’s budgets and size on this is important. Just because the budget exists for the worst case scenario doesn’t mean we will need to use it. Only if the worst happens, it makes sense to have this around if the survival of the protocol depends on it.

Cost is really reasonable in our eyes. There’s no one else we know of that is comparable in quality and service and at that, still pretty cheap.

I see advantages to using Immunifi for Compound’s bug bounty program but I also see risks that it may not cover. The advantages would be more researchers on the Compound code and better filtering of their results. When looking at the annual subscription it should be measured against potential reduction of internal Compound costs in presently filtering bug bounty claims.

The biggest risk I see to Compound in the short term is unexpected token code risk with new tokens implemented on the protocol on the various chains. Will this be within scope? Can it be? I think code analysis of the tokens is valuable. Open Zeppelin already has a checklist but it is not always applied.