Proposed Mission: Spearbit + Immunefi Bug Bounty Program for Large Protocols on Optimism.
Proposal Tier 42: Phoenix
As Spearbit, we qualify for the Phoenix Tier based on previous work done with the Optimism Foundation.
Baseline grant amount: 100,000 OP
% of total available Intent Budget: 10%
Please check here if access to upfront capital is a barrier to completing your Mission and you would like to be considered for a small upfront cash grant: No
Alliance name: Spearbit + Immunefi
Spencer Macdonald, Co-Founder and CEO @ Spearbit
Mike Leffer, COO @ Spearbit
Henry Shen, Senior AE @ Immunefi
L2 recipient address: TBD
Please list the members of your Alliance and link to any previous work:
Spearbit is a distributed network of security experts providing security services to web3 clients. Our members include some of the most seasoned Security Researchers in the industry. We provide security audits, monitoring, advisory and incident response services for organizations like Optimism, OpenSea, Polygon, and Connext. More about our work with Optimism and other clients can be found on our website / portfolo.
Immunefi is a web3 focused bug bounty platform that utilizes a network of 30k+ whitehat hackers for any type of blockchain project that utilizes smart contracts. Projects also have the ability to list bug bounties for more traditional SAAS frameworks such as their web/app architecture. Our client roster includes some of the most industry leading names like Polygon, Lido, RocketPool, SushiSwap, GMX, Arbitrum, etc. Refer to our website for additional information on client roster and previous work.
Please explain how this Mission will help accomplish the above Intent:
Technical decentralization, at its core, involves the distribution of control, authority, and operation across multiple independent entities. This avoids a single point of failure and prevents the system from being controlled by a single entity.
Security Assurance for Decentralized Infrastructure: This program will ensure the security of decentralized infrastructure by incentivizing the discovery and reporting of vulnerabilities. Given the interconnectedness of protocols in the DeFi ecosystem, vulnerabilities in protocols with large TVL can pose systemic risk, lead to multi-protocol exploits, and cripple the reputation of entire ecosystems. A bug bounty program aimed at the largest protocols can help mitigate such systemic risks, contributing to a more stable and resilient decentralized environment. This program will also allow large protocols building on Optimism to receive a wide variety of opinions and feedback on their protocol and smart contract code since Immunefi utilizes a community of 30K+ whitehat hackers. A wide variety of opinions and feedback will contribute to the security assurance for decentralized infrastructure since it allows projects to receive unbiased and new feedback.
Distributed Accountability: Our proposal distributes the responsibility of network security to a broader group, thus decentralizing the accountability that would traditionally lie with a central authority or a small group of developers. It can also support the work of community teams like OP Labs by providing an additional layer of security review and feedback. This can enhance the quality and reliability of their development work, contributing to the overall health of the decentralized ecosystem.
Enabling Bridge Decentralization: Secure apps are crucial for bridge decentralization, as they often serve as primary liquidity sources and integration points for cross-chain interactions. Ensuring the security of a major app, therefore, helps facilitate safer and more efficient cross-chain operations, contributing to the overall technical decentralization. Immunefi and Spearbit utilize a massive community of whitehat hackers and vetted Security Researchers with experience across various ecosystems, languages, and types of projects. This program will further contribute to bridge decentralization since it will help secure apps as apps seek cross-chain functionality.
We believe that this program would represent a start in the direction of a community-led security effort, one where new protocols and users would have confidence in deploying their time and money.
What makes your Alliance well-suited to execute this Mission? Spearbit has an established track record in the field of auditing and security consulting in web3. With our network of Security Researchers, we can ensure high quality code reviews leveraging our community to maximize detection and prevention. Our previous work with the Optimism Foundation further attests to our capabilities in this area.
Immunefi is a web3 focused bug bounty platform that protects over $60 billion in user funds. We work with many notable names across L1s, L2s, defi protocols such as LayerZero, Cronos Labs, Polygon, Arbitrum, Boba Network, GMX, SushiSwap, etc. in hosting bug bounties for their protocols. We host bug bounties for any type of blockchain project, regardless of coding language, ecosystem, or type or project (defi vs. creator economy). We utilize a community of over 30k whitehat hackers who use our platform to hunt for bugs within our clients’ protocols. Immunefi is well-suited in executing this mission given the wide variety of projects, languages, and ecosystems that we currently work with. Our whitehat hacker community does not discriminate against any type of project, allowing Optimism projects to receive a diverse set of opinions and feedback from various types of whitehat hackers all around the world.
Please list a critical milestone: Achievement of comprehensive bug coverage in large protocols on Optimism. We are first starting by securing Velodrome, the largest liquidity and trading marketplace on Optimism.
How should Token House delegates measure progress towards this Mission: Progress can be measured through regular updates on the number and severity of bugs detected and addressed. A dedicated staff for the bug bounty program should be acknowledged and maintained.
Benchmark Milestone 1: Comprehensive bug coverage Velodrome (by July 5th).
Benchmark Milestone 2: Comprehensive bug coverage in 50% of the targeted protocols
Benchmark Milestone 3: Comprehensive bug coverage in 100% of the targeted protocols
How should badgeholders measure impact upon completion of this Mission?
- KPI 1: Number of bugs detected and addressed.
- KPI 2: Number of large protocols assuredly secure and thus promoting more deployment on Optimism.
Breakdown of Mission budget request: The budget will be only be used for the bug bounty rewards per Immunefi’s standard terms of service
I confirm that my grant will be subject to clawback for failure to execute on critical milestones: Yes
I confirm that I have read and understand the grant policies: Yes
I understand that I will be required to provide additional KYC information to the Optimism Foundation to receive this grant: Yes
I understand that I will be expected to following the public grant reporting requirements outlined here: Yes