GIP-30 - Bug bounty administration and back pay to Warbler Labs

Author: @blakewest

Summary:
In September 2021, the Goldfinch Community announced a $500k Bug Bounty Program through Immunefi. This program was always meant to protect the community. We propose that the community authorize Warbler Labs to administer the Bug Bounty program on behalf of the DAO, and to pre-authorize the gov council to spend up to $500k on the program and cover the back pay of $104,250 to Warbler Labs for the bounty payouts already made.

Motivation:
Since launch, we have had 2 critical, and 5 high severity bugs, resulting in total payment of $104,250 allotted in bug bounty rewards, which have been paid by Warbler Labs. Warbler funds were never meant to cover costs that are directly done as community programs. The security of our system remains our highest priority and in order to streamline future payments, we propose that the community delegate Warbler Labs to administer the existing Immunefi bug bounty program.

Specification & Requirements:
All payments will be notified to the community ahead of time. They do not need to be voted on (ie. assumed to be a “yes”), but if there is substantial disagreement then the council will hold off on making payments. As part of this, it includes retroactively reimbursing Warbler Labs for $104,250 of payments already made (see transactions below for specific expenses)

Benefits: Uphold the highest levels of security by giving a substantial monetary incentive for good faith hackers and security researchers to responsibly disclose bugs that could put user funds at risk.

Drawbacks and Risks: None

Voting :

Yes: Appoint Warbler Labs as community delegate and approve $104,250 in backpay, and up to $395,750 in additional payments (for a total of $500k) to support the bug bounty program.

No:

No appointment or allocation.

Resources:

Past transactions paying out hackers:

https://polygonscan.com/tx/0xe14695972b3dc1126343d0b35025c7f162b4cabdf2b8503c69af473b7f4c2655

https://etherscan.io/tx/0x59bf6bc560e01bd6b8971df404a3ddbf225067ecb4c30f676e406445cc4be1b7

https://etherscan.io/tx/0xbbba458327aee355ac0aa3cf5b6ade35e53239e736214b0fa910ede55600a188

https://etherscan.io/tx/0xcdd00061cb6b3d9a8f8e2eaba29a1ef3ba88812440010df4608de6ca2212d659

https://etherscan.io/tx/0xa68f3dc0346f0328981c2670b66e67d3fb25ac1a273c44162d46d06551f4a286

https://etherscan.io/tx/0xc3f6128df111f9f5ecf4c4076e7393c016b713429312cbe6498e925891ad3699

https://etherscan.io/tx/0x864bc874bfdaf4ea7de6f1012aebfe9b16ca7ee6855887d776c89b0f8036e1e7

https://etherscan.io/tx/0x27e069fa246cf6b1e169815253bf387a19fbd5cd9c3a2aadd7ea1ad98756ede6

https://etherscan.io/tx/0x5f4b2d3f7de47727cecbd38f531bd245e946fff65e76387e4759febc1fb77a60

https://etherscan.io/tx/0x7938418b2e350d3b091b53eb70b5396755d1d769fb7cb828d48c4741e44549ff

I believe this proposal to be fair enough, however if a backpay implies use and sell of GFIs to cover these costs I suggest to introduce a certain time-line and to specify amount to be paid off every time according to the timeline. @blakewest

Good question @RP2743 ! This would not include use of GFI to cover costs. It would assume that the payments come out of the existing USDC in the Goldfinch treasury.

Thanks for letting me know. I would support this proposal and vote “yes”, as it’s perfectly fair.

I vote “Yes”. Paying the hackers for finding critical bugs is definitely good for the protocol’s security.

The proposal is considered rejected. The quorum for voting on Snapshot is not reached.

I believe that security is always important or there will be a mistake and a person will receive a reward or millions will be stolen … Which option is better?

The security of our system is our highest priority so my vote is “YES”

Council has approved the proposal

I totally agree. Paying hackers to find critical bugs is certainly necessary for the security of the protocol.