Summary
Security is mission-critical for protocols such as Orca. To make Orca’s new release (Whirlpools) more secure, we believe the protocol should allocate 1M ORCA for a bug bounty program. The program would improve the security of Whirlpools, which in turn, would grow Whirlpools’ usage.
Motivation
While Whirlpools is being audited by Neodyme and Kudelski, we believe that having as many eyes as possible reviewing the code will improve the probability that bugs are identified and fixed. To that end, bug bounties are an incredibly effective way to get independent, good-faith hackers to spot nasty bugs before any damage is done.
Description
We propose 1M ORCA be allocated for Orca’s first bug bounty program. These funds would be used exclusively to fund bug bounties on platforms such as ImmuneFi.
We think the most practical solution is for the core team to operate the program: they wrote the Whirlpools code, and are best-positioned to work on structuring bug bounties.
We have spoken to Orca’s core team about the need for the program, and they agreed it’s a necessary initiative and one that makes sense for them to operate. In addition, the bug bounty program makes it safer to open-source the smart contract, which will help encourage other protocols to build on top of Whirlpools.
To that end, we propose the following process as part of this proposal:
- ORCA tokenholders vote to approve or reject this proposal.
- If approved, 1M ORCA would move from the community treasury allocation to the Bug Bounty program budget.
- The Bug Bounty program would be operated by Orca’s core team. Most likely, a large portion of the budget would be used to sponsor bounties on proven platforms such as ImmuneFi.
- If bugs are found, Orca’s core team would commit to fixing the newly discovered bugs and on a timely basis reporting them to the community.
Compensation
Reverie is an advisor to Orca and will not be asking for compensation as part of this proposal.
Conclusion
We believe the protocol should be willing to spend on its own security. In addition to smart contract audits, bug bounties are an effective way to mitigate risk. In our view, 1M ORCA is a small price to pay for additional security provided by a bug bounty program.