Increase Bounty in Immunefi

If you haven’t checked the bounty on immunefi.com for balanced.network you’ll see the max reward for finding a critical bug is $5,000. In my opinion I think this should be much higher and would like to start a discussion on this. I believe a rough estimate for all defi hacks is close to $2B. That’s quite a bit of money and knowing a white hat can potentially save my funds for finding a vulnerability I’d vote to increase that bounty for sure.

9 Likes

I am fully in support of the idea of this, while at the same time being totally ignorant of this process and norms. Having just briefly scummed the website, I wouldn’t hazard a guess at what amounts we should be discussing.

Any thoughts on how much to raise it?

Yep I’d agree with that. Looking through the list, I’d be comfortable starting at maybe 200k to match Synthetix which is our closest comparable project on that list imo.

Thoughts?

2 Likes

$200k is very appealing. Just curious, where would these funds come from, if hypothetically, a critical vulnerability was found? Reserves?

It would come from the DAO Fund. Currently, disbursements are enabled and can be voted on, just not in the UI yet

1 Like

Out of curiosity, how are “critical” as opposed to non-critical bugs defined? Is this something that could be open to contention?
Does anyone know how much the DAO Fund holds atm? Would we be able to afford 200.000 usd without sailing to close to the wind financially?

All the way at the bottom is the current DAO Fund amount!

About $2,544,372 at the moment.

3 Likes

It’s defined as something that compromises user funds or breaks the smart contracts to lock user funds

2 Likes

I’m all for raising the bounty amount to $200.000 in order to match our specific market norm set by closest competitor Synthetix. Here follow some thoughts:

  • If you want to market your future self as ‘the best and safest platform on the BTP network’, you must invest the necessary (DAO) funds into making this actually happen.

  • I’d rather pay $200.000 of community funds to a white hat hacker, than losing even a fraction of that amount of my own funds to a malicious hacker.

Dave

4 Likes

Sounds like a good place to start. Is there a place where we could pin a link to the bounty, and possibly share information and results?

I really don’t know how this works, is there fixed or one time costs for placing the bounty. And will smaller amounts be paid out for less impactful issues. Would that sort of info be relevant to post?

I agree with the other opinions supplied here to raise the bounty to $200k. Are there other options such as smart contract insurance or anything like that? I’m thinking of anything upstream of after things are deployed to production in which we could spend on for mitigation as opposed to after the fact.

We have the funds to do $200k! We must show we are the best! $5k is not much. We will get some eyes on this for sure!

The DAO Fund could be used to refund users in the case of an attack after the fact. I’m also looking into Insurace

There are no fixed costs. The bounty company gets a portion of any bounties paid out. They put together and manage the entire bounty program free of charge for the most part. So all I need to do is tell them “Balanced DAO would like to increase the critical bug bounty to 200k” if we vote to approve

1 Like

Go ahead with this, great idea and the immunefi platform is top notch. For $200k it needs to be a vulnerability in my opinion. Perhaps we can add another standardised reward (low $$ reward) for basic non-critical bugs ?

Thank you. Today, one day after your reply, that number already stand at 2.8 mill, so that would imply that there is definitely room to increase the bounty by quite a lot.

1 Like

That makes a lot of sense, thank you.

In reply to my own reply, what I had not acounted for ofcourse is the increase in ICX price since yesterday. Doh!

1 Like

Can we have some justifications for the specific amount requested, I fully agree that 5k is way to little of a bounty. I’m just trying to understand the increase to 200k. I would be more than ok with 100k, and I’m open to the idea of 200k.

Do we not believe that 100k would be enough for someone with those given set of specific skills to try to find flaws, to me it would make sense to increase the bounty incrementally over time if no flaws are found and as the Dao’s fund grows.