[READY TO VOTE] Fraud Proof CTF Mission Request

Delegate Mission Request Summary:
To ensure the security of fraud proofs in advance of the full launch, this mission proposes creating a public CTF / short-term bug bounty to draw focus from top security talent.

S5 Intent: Intent 1: Progress towards technical decentralization

Proposing Delegate: Gonna.eth

Proposal Tier: Fledgling

Baseline grant amount: 50k OP for coordination, up to 200k OP in potential rewards

Should this Foundation Mission be fulfilled by one or multiple applicants: One

Submit by: To be set by Grants Council

Selection by: To be set by Grants Council

Start date: ASAP

Completion date: Before OP mainnet fraud proof launch

Specification

How will this Delegate Mission Request help accomplish the above Intent?

  • The most important step towards technical decentralization is getting fraud proofs live on OP Mainnet.
  • While they are currently live on Goerli, the bug bounty is low and not drawing much attention.
  • A ton of attention from top security researchers would help provide the security confidence needed to move towards a mainnet launch.

What is required to execute this Delegate Mission Request?

  • Analyze fraud proof systems to determine complete list of possible risks that could arise.
  • Determine payouts for each possible risk being identified.
  • Set up a fun “event” structure to make it more like a concentrated CTF than a typical bounty.
  • Market it to gain awareness and excitement in the security community.
  • Run the event.
  • Judge submissions and determine payouts.

How should the Token House measure progress towards this Mission?

  • Event coordinated with payouts and plan approved by OP security team.
  • Event runs successfully.

How should badgeholders measure impact upon completion of this Mission?

  • Did the event surface vulnerabilities that could have created problems if deployed to mainnet?
  • At the end of the event, does the OP team feel confident that fraud proofs are ready for mainnet?

Have you engaged a Grant-as-a-service provider for this Mission Request?
no

Has anyone other than the Proposing Delegate contributed to this Mission Request? If so, who, and what parts of this application did they contribute to? I’m sponsoring a Zach Obront proposal.

10 Likes

the bug bounty is low and not drawing much attention.

Have you got a link to what current bug bounties have been set up already?

In general this seems like a really sensible idea, if the fraud proofs can be exploited somehow then there isn’t much point in having them!

1 Like

Very much in agreement about the direction here. IMO would be useful to coordinate with the OP Labs security team on this mission request to make sure that this augments existing efforts rather than conflicting with them.

5 Likes

If the bug bounty is low would it just not make sense to increase the bug bounty? As this is just another way of putting a bug bounty right?

I’m strongly for this! I think our industry is making large improvements on the security of technical infrastructure and we should continue to provide incentive for collaboration on this effort securing critical infrastructure.

It is pretty much a bug bounty, but the bug bounty market is flooded and it can be hard to find good projects to look into (some refuse to pay out, some skimp on rewards and fight whitehats on criticality level, etc). Marketing via a CTF-like competition is an interesting idea.

Depending on OP Labs security team’s response, I would be in favor of this.

Here is the current info on the bounty: optimism/docs/fault-proof-alpha/immunefi.md at develop · ethereum-optimism/optimism · GitHub

Sounds great! But if you look on Immunefi, any issues with Fault Proof system is considered Low Severity ($1000 payout): Optimism Bug Bounties | Immunefi

1 Like

Yeah. The easiest option here would just be to increase the bounty from Low to High. But I think at best that encourages researchers to put it on their “I’ll look at it one day” list. A coordinated event will draw more eyeballs when they’re really needed.

Following @zachobront’s links I can definitely see value in this mission:

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

1 Like

yeah this is the kind of thing an ecosystem gov fund is built for

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready for a vote

We are an Optimism delegate with sufficient voting power and believe this proposal is ready to move to a vote.

I am an Optimism delegate with sufficient voting power and believe this proposal is ready to move to a vote.

Hello,
I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

An extremely important endeavor and something that I’m happy to see tackled by different teams with different methodologies.

I’m an Optimism delegate with sufficient voting power and I believe this proposal should move to a vote.

I am an Optimism delegate with sufficient voting power and I believe this proposal is ready to move to a vote.

The Developer Advisory Board has reviewed this Delegate Mission Request, and voted on its acceptance or rejection. The vote results are as follows:

ACCEPT: 6 votes
REJECT: 0 votes
ABSTAIN: 0 votes

therefore, the Developer Advisory Board accepts this delegate mission request with the contingency that the OP Labs security team signs off on it not inferring with their work.

The Developer Advisory Board has reached this conclusion based on the fact Fault Proofs are a core part of the Optimism ecosystem’s future. A bug-free & heavily reviewed Fault Proof system via a CTF therefore will meaningfully move Optimism towards technical decentralization.

We thank the proposer for putting this together.

2 Likes

The Grants Council has opened early submissions as an Indication of Interest for this mission request here

For your application to be considered, the Mission request must pass the Token House vote on February 14th. Submissions will not be considered if a Mission Request is not approved on the 14th.