avatar
Rogue
@rogue

🏹

2 Following0 Followers
··

I just voted "Yes" on "Stargate ImmuneFi Bug Bounty Program" snapshot.org/#/stgdao.eth/pro… #SnapshotVote

Passed

Stargate ImmuneFi Bug Bounty Program

Background: 
 
Within the crypto industry, the security space and its challenges are ever evolving. One of these challenges is the optimization of the vulnerability disclosure process for projects, where the stakes are typically much higher than in the traditional model. The crypto industry regularly sees a wide range of security incidents that affect values in the millions of dollars to the hundreds of millions of dollars. There are fortunately a vast number of security researchers in the space that offer their time and expertise towards protecting against such incidents via responsible disclosures, but unfortunately just as often it’s their blackhat counterparts aiming to profit from exploits. 
 
The nature of the amount of potential funds at risk leads to the need for increased incentives as part of a bug bounty program, acting as both an attractive offer to those who could be swayed to operate maliciously, as well as a justified reward to those with pure intentions. 
 
With the imminent launch of Stargate V2, Stargate should look towards the publication of a comprehensive bug bounty program covering the assets and impacts in scope, tiers of rewards, and any other relevant information in order to maximise the chances of a positive outcome in the event that there is ever a vulnerability found within the protocol. This program should be hosted with a bug bounty platform such as Immunefi to ensure awareness of its existence is widespread. 
 
Stargate V2’s codebase is entirely open-source and can be viewed here. It has also been through an industry-leading 4 external audits - all audit reports publicly available here. 
 
Proposal: 
 
Having looked at existing live programs on Immunefi for reference and inspiration, the following is proposed: 
 
The creation of a bug bounty program with a maximum reward of $10M, showing a commitment to the security of Stargate v2 and its TVL; it should cover the core smart contracts that make up the Stargate Protocol on each chain. The final list of smart contracts will be listed publicly on the ImmuneFi Bug Bounty page, and decided in collaboration with the ImmuneFi experts.  
 
Any bounty payment for this program should be directly out of Stargate POL, with a requirement of a KYC process prior to final payment. The management of the program should be facilitated by the Stargate Foundation, with transparency into the process in a way that does not expose any sensitive security information prior to any resolution. 
 
Rewards by Threat Level: 
 

  • Critical: A minimum of $100K, or 10% of the value at risk at the time of report submission with a hard cap of $10M 
     
  • High: A minimum of $10K, up to $100K 
     
  • Medium: A minimum of $5K, up to $10K 
     
  • Low: A minimum of $1K, up to $5K  
     
     
    Impacts in Scope (Smart Contract): 
     
    Critical: 
     
  • Exploits resulting in the permanent locking, loss, or theft of user funds 
  • Attacker ability to modify Stargate UA settings 
     
    High: 
     
  • Exploit leading to theft of unclaimed rewards 
     
    Medium:  
     
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) 
     
    Low: 
     
  • A bug or incorrect configuration of contracts that produces incorrect outputs or behavior but does not impact participants or the protocol in a material way.  
     
    This bug bounty program details should be further fleshed out with Immunefi in accordance to their typical best practices regarding impacts, what is out of scope, and any other rules that should be in place. 
     
    Execution: 
     
    Stargate will create a comprehensive bug bounty program hosted on Immunefi with finalised details, with the administration of this program being performed on an ongoing basis. The DAO will hold 5X the lowest payout in the ImmuneFi vault to boost trust. 
     
    Summary: 
     
    A bug bounty program should be created with a maximum payout of $10M with additional reward tiers in place. The publication and management of the final bug bounty program should be facilitated by the Stargate Foundation; they should work directly with Immunefi to complete this on behalf of the StargateDAO. The Stargate Foundation will cover all costs associated with initiating the set-up of this program, alongside the ImmuneFi annual management fee. Hence this program would be run at no additional cost to the DAO.
You've hit rock bottom.