I’ve been involved in giving Immunefi feedback on their proposal as the DAO’s Security Advisor. As always, OpenZeppelin remains neutral on the selection of new service vendors to the DAO but we do believe a managed bug bounty platform is crucial given the experiences with the payout of the griefing bug report last year.
There are a few things I want to highlight in the proposal for the community’s awareness:
-
Per our original partnership proposal, OpenZeppelin is not directly responsible for managing bug bounties for the Compound DAO. However, we have often assisted with bug bounty reports submitted to Compound Labs’ program upon request and we have been directly involved in responding to live issues reported, both as the protocol’s auditor to review fixes and as a member of the Pause Guardian multi-sig to potentially pause the protocol. We would continue to serve in these roles if Immunefi’s proposal is accepted.
-
The inclusion of the Managed Triage service in Immunefi’s Guardian plan would be incredibly valuable to cut down on spam submissions and ensure that Compound contributors are only involved in reviewing submissions with a high likelihood of real impact.
-
I’ve personally been involved with the Security Alliance’s creation of Safe Harbor in which protocols can offer legal protection to whitehats who aid in the recovery of assets during an active exploit. I do believe that the circumstances of when whitehats can perform an exploit should be limited to very specific circumstances such as front-running a malicious exploit transaction that has been submitted to the mempool and there’s no other option left to stop the attack.
-
It’s important to note that any bug report that has been validated will be paid out from the COMP Treasury through a DAO governance proposal. Given the prior experience of processing the payout from the Griefing Bug, its important that the community be aligned with the process that Immunefi has set forth so that expectations on severity levels and rewards to be assigned for a valid bug are clear and DAO delegates can vote in support of payouts with clear criteria.
I invite other community members and delegates to please share their feedback on the proposal details such as the Rewards breakdown, bounty processes, and other terms proposed by Immunefi. With this feedback, Immunefi can more forward with an on-chain proposal to implement a bug bounty platform and improve the protocol’s overall security preparedness.