[FINAL] Spearbit + Immunefi Bug Bounty Program for Large Protocols Building on Optimism

Proposed Mission: Spearbit + Immunefi Bug Bounty Program for Large Protocols on Optimism.

Proposal Tier 42: Phoenix

As Spearbit, we qualify for the Phoenix Tier based on previous work done with the Optimism Foundation.

Baseline grant amount: 100,000 OP

% of total available Intent Budget: 10%

Please check here if access to upfront capital is a barrier to completing your Mission and you would like to be considered for a small upfront cash grant: No

Alliance name: Spearbit + Immunefi

Alliance Leads:

Spencer Macdonald, Co-Founder and CEO @ Spearbit

Mike Leffer, COO @ Spearbit

Henry Shen, Senior AE @ Immunefi

Contact info:

mike@spearbit.com
hen@immunefi.com

L2 recipient address: TBD

Please list the members of your Alliance and link to any previous work:

Spearbit is a distributed network of security experts providing security services to web3 clients. Our members include some of the most seasoned Security Researchers in the industry. We provide security audits, monitoring, advisory and incident response services for organizations like Optimism, OpenSea, Polygon, and Connext. More about our work with Optimism and other clients can be found on our website / portfolo.

Immunefi is a web3 focused bug bounty platform that utilizes a network of 30k+ whitehat hackers for any type of blockchain project that utilizes smart contracts. Projects also have the ability to list bug bounties for more traditional SAAS frameworks such as their web/app architecture. Our client roster includes some of the most industry leading names like Polygon, Lido, RocketPool, SushiSwap, GMX, Arbitrum, etc. Refer to our website for additional information on client roster and previous work.

Please explain how this Mission will help accomplish the above Intent:

Technical decentralization, at its core, involves the distribution of control, authority, and operation across multiple independent entities. This avoids a single point of failure and prevents the system from being controlled by a single entity.

1. Security Assurance for Decentralized Infrastructure: This program will ensure the security of decentralized infrastructure by incentivizing the discovery and reporting of vulnerabilities. Given the interconnectedness of protocols in the DeFi ecosystem, vulnerabilities in protocols with large TVL can pose systemic risk, lead to multi-protocol exploits, and cripple the reputation of entire ecosystems. A bug bounty program aimed at the largest protocols can help mitigate such systemic risks, contributing to a more stable and resilient decentralized environment. This program will also allow large protocols building on Optimism to receive a wide variety of opinions and feedback on their protocol and smart contract code since Immunefi utilizes a community of 30K+ whitehat hackers. A wide variety of opinions and feedback will contribute to the security assurance for decentralized infrastructure since it allows projects to receive unbiased and new feedback.

2. Distributed Accountability: Our proposal distributes the responsibility of network security to a broader group, thus decentralizing the accountability that would traditionally lie with a central authority or a small group of developers. It can also support the work of community teams like OP Labs by providing an additional layer of security review and feedback. This can enhance the quality and reliability of their development work, contributing to the overall health of the decentralized ecosystem.

3. Enabling Bridge Decentralization: Secure apps are crucial for bridge decentralization, as they often serve as primary liquidity sources and integration points for cross-chain interactions. Ensuring the security of a major app, therefore, helps facilitate safer and more efficient cross-chain operations, contributing to the overall technical decentralization. Immunefi and Spearbit utilize a massive community of whitehat hackers and vetted Security Researchers with experience across various ecosystems, languages, and types of projects. This program will further contribute to bridge decentralization since it will help secure apps as apps seek cross-chain functionality.

We believe that this program would represent a start in the direction of a community-led security effort, one where new protocols and users would have confidence in deploying their time and money.

What makes your Alliance well-suited to execute this Mission? Spearbit has an established track record in the field of auditing and security consulting in web3. With our network of Security Researchers, we can ensure high quality code reviews leveraging our community to maximize detection and prevention. Our previous work with the Optimism Foundation further attests to our capabilities in this area.

Immunefi is a web3 focused bug bounty platform that protects over $60 billion in user funds. We work with many notable names across L1s, L2s, defi protocols such as LayerZero, Cronos Labs, Polygon, Arbitrum, Boba Network, GMX, SushiSwap, etc. in hosting bug bounties for their protocols. We host bug bounties for any type of blockchain project, regardless of coding language, ecosystem, or type or project (defi vs. creator economy). We utilize a community of over 30k whitehat hackers who use our platform to hunt for bugs within our clients’ protocols. Immunefi is well-suited in executing this mission given the wide variety of projects, languages, and ecosystems that we currently work with. Our whitehat hacker community does not discriminate against any type of project, allowing Optimism projects to receive a diverse set of opinions and feedback from various types of whitehat hackers all around the world.

Please list a critical milestone: Achievement of comprehensive bug coverage in large protocols on Optimism. We are first starting by securing Velodrome, the largest liquidity and trading marketplace on Optimism.

How should Token House delegates measure progress towards this Mission: Progress can be measured through regular updates on the number and severity of bugs detected and addressed. A dedicated staff for the bug bounty program should be acknowledged and maintained.

Benchmark Milestone 1: Comprehensive bug coverage Velodrome (by July 5th).

Benchmark Milestone 2: Comprehensive bug coverage in 50% of the targeted protocols

Benchmark Milestone 3: Comprehensive bug coverage in 100% of the targeted protocols

How should badgeholders measure impact upon completion of this Mission?

• KPI 1: Number of bugs detected and addressed.
• KPI 2: Number of large protocols assuredly secure and thus promoting more deployment on Optimism.

Breakdown of Mission budget request: The budget will be only be used for the bug bounty rewards per Immunefi’s standard terms of service

I confirm that my grant will be subject to clawback for failure to execute on critical milestones: Yes

I confirm that I have read and understand the grant policies: Yes

I understand that I will be required to provide additional KYC information to the Optimism Foundation to receive this grant: Yes

I understand that I will be expected to following the public grant reporting requirements outlined here: Yes

Hi, bug bounty sounds like a good idea but I feel there’s some missing information:

• Do you plan to use the 100k OP to do a Velo bug bounty only?
• How long will the program run?
• What happens with the funds once the program is over if there are no bugs?
• Will the Velo team be responsible for reporting found bugs and respective bounties?
• Can you specify how much goes to Bug Bounty and how much goes to operational costs and staff support?

Great questions!

1. As of right now, Velodrome is the only “approved” project to receive this 100k in matching funds hence this proposal. The ultimate goal is to leverage additional funding for other large protocols building on Optimism other than Velodrome. From our experience, we need large amounts of funding for each protocol to properly incentivize the whitehat community.
2. Indefinite. We don’t charge anything to have a bug bounty on our platform (Immunefi). The program runs as long as the project or team wants to.
3. Do you mind clarifying here? Velodrome is posting a bug bounty on our platform and then our community of 30K whitehat hackers will see Velodrome’s bug bounty. So technically the whitehat hackers are “responsible” for reporting bugs but ultimately, the Velodrome, Immunefi, and Spearbit team will work together to ensure the bug is in scope, adheres to program rules, etc.
4. No operational costs or staff costs! The only time the funds are used is when a bug is addressed and resolved by the Velodrome, Immunefi, and Spearbit team.

Hey @hen thanks for the answers. What you say about staff costs and what the proposal says are not the same. If you have the ability to edit the proposal or ask the author to do it it’ll be good.

Great catch @Gonna.eth I’ve updated the proposal accordingly. Let me know if that is more clear!

the only “approved” project to receive this 100k in matching funds hence this proposal.

For clarity, when you say ‘matching funds’ do you mean that Velodrome are putting up a 100k bug bounty themselves and the 100k that is being requested in this proposal is to match that? So a 200k bug bounty in total?

I’ve written before in favour of funding bug bounties, but it seems like big, established projects should be able to pay for these themselves and if we’re going to put OP into this we’d be better off targeting it at smaller projects with small budgets that have grown quickly and now have a significant potential reward vs effort for attackers but may not have the capital to fund bug bounties themselves.

Great feedback.

Yes, Velo is matching the funding!

I do agree that we should also support smaller projects that have grown quickly. We think about the security of OP from a threat model perspective. The ecosystem attack surface is large, so we have to prioritize the vectors that are highest risk and highest impact. So, Velo certainly makes the list. The type of projects you mentioned should as well.

Would love to brainstorm rolling out a larger initiative focused on smaller projects. Mind grabbing some time on my calendar?

Hi @mikefromspearbit! Wanted to make sure you were aware of the Optimism Season 4 Pitching Sessions to help find the 4 delegate approvals you’ll need by this Wednesday at 19:00 GMT for your proposal to move to a vote.

These sessions are happening in Discord on Monday, 26.06 2pm ET / 6pm GMT / 8pm CET and Tuesday, 27.06 11am ET / 3pm GMT / 5pm CET.

You can sign-up here!

I want to echo @MinimalGravitas and @Gonna.eth here that this would make a lot more sense as bounties paid by Optimism itself if the protocols you found were smaller and could not gather the funds to have their own security audits themselves.

Perhaps this would make sense as an application when such projects have been found?

I agree with the idea that it’s in Optimism’s best interest to subsidize forms of security for projects that have lots of traction/TVL and are less able to splurge on security costs themselves. I think that Velodrome fits into this category, and as a very clear outlier too - by far the largest TVL on the chain, gave away 90% of the token supply to the public and other dapps, development costs were bootstrapped with a $100k grant, no VC money, Optimism native.

We will certainly do this for future proposals. This is a high value proof of concept with immediate positive impact to the ecosystem. Supporting smaller projects will require additional complexity in terms of decision making + subsidizing additional services such as security reviews (audits) that are necessary prior to bug bounty programs. Working with Velo is:

1. solving for the highest risk security attack vector on OP at the moment since they have the largest TVL

2. to @ZoomerAnon 's point in line with supporting projects with limited budgets as they gave away 90% of the token supply to the public and other dapps, development costs were bootstrapped with a $100k grant, no VC money.

Thank you for your consideration and the discussion!

Hey Mike, I appreciate your idea; it is true that bugs might lead to Sybil attacks on DeFi networks.I have two questions for clarification:

-Will the funds be returned to the government if the bug is not found, or will you use them for something else?
-Isn’t it healthier for platforms to always investigate for bugs, rather than only for bounty? You seem to be a talented and experienced team, and if the proposal is granted, would you rather use these funds to spread them over a long period of time than as a bounty reward?

Thanks in advance, and good luck

Happy to chime in here.

1. If the program is winded down and no bugs are submitted/paid out on, the funds will be returned. We would ideally add smaller projects into this program so that there are multiple projects using this community bucket. Same rule applies in that if no bugs are submitted then funds would be returned to the foundation once program is shut down or deprecated.
2. The bug bounty program is a continuous program rather than a point in time solution. Does this answer you question? Let me know otherwise.

Yes, I’m satisfied Thank you for your answers It’s great to guarantee funds you don’t use. Good luck

Cheers Mike, but I don’t want a private meeting, much rather flesh out my point in public so I’m not tempted to just suggest criteria that would benefit projects I hold tokens for…!

With regards to this proposal, I still don’t understand why we would put 100k OP into subsidizing a bug bounty for a project which must have easily enough funds in it’s treasury to do so itself. Projects like Velo, AAVE, Synthetics, Uniswap, Beefy, Curve etc are huge already and in my opinion do not need additional support in paying for this kind of thing.

In terms of Impact, the kind of projects that I think would more appropriate beneficiaries for this type of funding would be those with a high % increase in TVL and/or user numbers, and a small treasury with which to fund bug bounties themselves. What that entails specifically I guess is for you to decide, but I’m not going to be supporting this proposal this time.

To be clear here, Velodrome operates as a public good. 100% of protocol fees and incentives go to token lockers. And the vast majority of our token supply was distributed to ecosystem projects and users.

IMG_87961118×1205 81.4 KB

Unlike many other DEXs the team did not raise any VC funds and does not have any kind of team tax on protocol activity. The only way we as a team generate any revenue is through our own participation in the flywheel as token lockers.

Despite this, we’ve been able to build a protocol that represents over 25% of ecosystem TVL and serves primary liquidity hub on 80% of ecosystem tokens. For a protocol of our size and impact, Spearbit and ImmuneFi recommended a 500 K bug bounty, an amount there is simply no way a protocol designed like ours could support in its entirely out of pocket.

My belief is that the ecosystem native and public good nature of the protocol combined with its essential nature makes it a perfect candidate for a pilot like this. And one that could be repeated for other large projects that meet similar criteria as well as smaller ones even if there is less ecosystem risk associated with a potential vulnerability.

You’re comparing a number of projects that raised millions from VCs, to one, Velodrome, bootstrapped on a $100k grant. This is an apples and pears comparison.

If we want to see grant bootstrapped teams (literally the aim of Builders grants) do well, flourish and grow the ecosystem in a way that allows agility and minimises any potential compliance issues, then I believe this is a proposal to support.

Beefing up bug bounties across Optimism is a great proposal and a solid use of $OP grants. Sounds like there’s no meaningful disagreement on that front.

But @MinimalGravitas raises an important debate: which protocols should benefit from this?

I think about it from 2 different perspectives:

1. Is the protocol critical to the broader Optimism ecosystem?
2. Does the protocol particularly need help / isn’t able to bootstrap its own security budget?

On #1, I think it’s most definitely in Optimism’s best interests to help support the safety and soundness of systemically important protocols regardless of their ability to pay. If something like Velodrome, Synthetix or Aave were to blow up, that would have massive implications for everyone on the network and cause a chilling effect on its entire DeFi ecosystem. Some $OP grants to prevent this would be well-spent.

On #2, I think that’s probably a no-brainer. We all likely agree that it’s worth it to support protocols with smaller treasuries that can’t afford robust security budgets. It’s a great way to continue encouraging innovation here on Optimism.

On the topic of Velodrome specifically, they’re actually in the unique position of satisfying both #1 and #2 above. They are the leading DEX on the network and critically important to the ecosystem – so many protocols are using it to bootstrap their own liquidity. And as @alexcutlerdoteth and @nickbtts have pointed out, they’re uniquely under-capitalized relative to other protocols due to the lack of VC funding and its “public good” nature. I think we should absolutely support Velodrome here.

It’s a good idea overall imo. It makes sense to have a bug bounty for protocols essential for Optimism supported by Optimism Collective - after all any serious exploit in a protocol like Velodrome/Synthetix/Aave/Uniswap/etc. on Optimism would hurt not just this protocol but Optimism as well. However, given that I would prefer extending the list of protocols covered by this programme to some more protocols to not favour just a single protocol. Would it be possible?

I also find the arguments presented in previous posts (regarding making this accessible for smaller protocols/projects) valid. I think in a long term we would have to find some balance between covering bug bounty for smaller projects nad bigger ones, but right now I think that from Optimism perspective it makes sense to focus on protocols that pose substantial risk for the Optimism ecosystem.

Having said that, I think it’s good to put it to a vote. The authors can still provide additional clarification to convince delegates to vote on this proposal later.

I am a delegate with sufficient voting power and I believe this should be put to a vote.

Hi there, I’m part of the Velodrome team and I’d like to provide some context from a developer perspective.

Spearbit always went an extra mile for helping us get the best setup (6 researchers, two rounds of audit, overall probably a month of work across both teams). We came to them with very specific requests and they just made it happen.

By supporting this initiative, Optimism protocols basically get a priority and an opportunity to receive the best possible security review from a top tier researchers community (there’s just a handful of good researhers, and it would be great to see these folks focused on our network of protocols and users)! I believe this will help projects launch with confidence on OP mainnet and, by extent make Optimism a stronger and committed brand in front of the end-users.

There will be exceptions of the protocols who can buy any audit service they want, but there should be an alternative for those who chose to bootstrap or are looking for a chain where the priorities are aligned across all levels (operations, products, safety) and participants (network, protocols, users).