GIP-30 - Bug bounty administration and back pay to Warbler Labs

Author: @blakewest

In September 2021, the Goldfinch Community announced a $500k Bug Bounty Program through Immunefi. This program was always meant to protect the community. We propose that the community authorize Warbler Labs to administer the Bug Bounty program on behalf of the DAO, and to pre-authorize the gov council to spend up to $500k on the program and cover the back pay of $104,250 to Warbler Labs for the bounty payouts already made.

Since launch, we have had 2 critical, and 5 high severity bugs, resulting in total payment of $104,250 allotted in bug bounty rewards, which have been paid by Warbler Labs. Warbler funds were never meant to cover costs that are directly done as community programs. The security of our system remains our highest priority and in order to streamline future payments, we propose that the community delegate Warbler Labs to administer the existing Immunefi bug bounty program.

Specification & Requirements:
All payments will be notified to the community ahead of time. They do not need to be voted on (ie. assumed to be a “yes”), but if there is substantial disagreement then the council will hold off on making payments. As part of this, it includes retroactively reimbursing Warbler Labs for $104,250 of payments already made (see transactions below for specific expenses)

Benefits: Uphold the highest levels of security by giving a substantial monetary incentive for good faith hackers and security researchers to responsibly disclose bugs that could put user funds at risk.

Drawbacks and Risks: None

Voting :

Yes: Appoint Warbler Labs as community delegate and approve $104,250 in backpay, and up to $395,750 in additional payments (for a total of $500k) to support the bug bounty program.


No appointment or allocation.


Past transactions paying out hackers:


I believe this proposal to be fair enough, however if a backpay implies use and sell of GFIs to cover these costs I suggest to introduce a certain time-line and to specify amount to be paid off every time according to the timeline. @blakewest

1 Like

Good question @RP2743 ! This would not include use of GFI to cover costs. It would assume that the payments come out of the existing USDC in the Goldfinch treasury.

1 Like

Thanks for letting me know. I would support this proposal and vote “yes”, as it’s perfectly fair.

I vote “Yes”. Paying the hackers for finding critical bugs is definitely good for the protocol’s security.

The proposal is considered rejected. The quorum for voting on Snapshot is not reached.

I believe that security is always important or there will be a mistake and a person will receive a reward or millions will be stolen … Which option is better?

The security of our system is our highest priority so my vote is “YES”

Council has approved the proposal

I totally agree. Paying hackers to find critical bugs is certainly necessary for the security of the protocol.