Bug Bounty Program

Summary

Security is mission-critical for protocols such as Orca. To make Orca’s new release (Whirlpools) more secure, we believe the protocol should allocate 1M ORCA for a bug bounty program. The program would improve the security of Whirlpools, which in turn, would grow Whirlpools’ usage.

Motivation

While Whirlpools is being audited by Neodyme and Kudelski, we believe that having as many eyes as possible reviewing the code will improve the probability that bugs are identified and fixed. To that end, bug bounties are an incredibly effective way to get independent, good-faith hackers to spot nasty bugs before any damage is done.

Description

We propose 1M ORCA be allocated for Orca’s first bug bounty program. These funds would be used exclusively to fund bug bounties on platforms such as ImmuneFi.

We think the most practical solution is for the core team to operate the program: they wrote the Whirlpools code, and are best-positioned to work on structuring bug bounties.

We have spoken to Orca’s core team about the need for the program, and they agreed it’s a necessary initiative and one that makes sense for them to operate. In addition, the bug bounty program makes it safer to open-source the smart contract, which will help encourage other protocols to build on top of Whirlpools.

To that end, we propose the following process as part of this proposal:

• ORCA tokenholders vote to approve or reject this proposal.
• If approved, 1M ORCA would move from the community treasury allocation to the Bug Bounty program budget.
• The Bug Bounty program would be operated by Orca’s core team. Most likely, a large portion of the budget would be used to sponsor bounties on proven platforms such as ImmuneFi.
• If bugs are found, Orca’s core team would commit to fixing the newly discovered bugs and on a timely basis reporting them to the community.

Compensation

Reverie is an advisor to Orca and will not be asking for compensation as part of this proposal.

Conclusion

We believe the protocol should be willing to spend on its own security. In addition to smart contract audits, bug bounties are an effective way to mitigate risk. In our view, 1M ORCA is a small price to pay for additional security provided by a bug bounty program.

A protocol handling Orca’s TVL and txn volumes should 100% have a robust bug bounty program. I fully support this measure.

Update: the proposal has been posted for an on-chain vote.

Please vote at this link!

When building a DEFI exchange it makes total sense to move towards a Bug Bounty Program and make use of the core rationale: use the power of the people to raise the security level for the people.

Well done on this @larry! Much needed initiative for any DeFi protocol IMO.

For those who are curious, here is a detailed overview of the program on ImmuneFi’s website.

I know it’s only been a short time since this proposal was passed, but I was thinking it would be really cool to see a periodic summary of bugs found and bug bounties paid out. Is that something that can be shared here in this thread?