Immunefi Bug Bounty Changes

knoshua · 20 May 2024 11:54

The rocket pool immunefi bug bounty was recently updated to include houston code. At the same time the classifications for critical bugs were changed (see cached bounty page) and partially downgraded to high based on $-value. In detail:

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Used to be classified as critical ($500k bounty) and was changed to:

Direct theft of any user funds (with value > $250,000), whether at-rest or in-motion, other than unclaimed yield

Still critical ($500k bounty) and:

Direct theft of any user funds (with value < $250,000), whether at-rest or in-motion, other than unclaimed yield

Now high ($25k bounty)

The same change was made for:

Permanent freezing of funds

My initial impression was that this is about reducing cost, given that the payout either remains the same or is reduced significantly, however langers assured me that this is not the case and the goal was to have more sensible payouts. To check sensibility, I had a quick look at some other staking protocol programs for comparison:

Stader: Linear scaling (10%) with $100k minimum and $1m maximum for theft or permanent freezing
Stakewise: $200k fixed for loss of user funds, independent of $-impact
Lido: Linear scaling (1%) for loss of user funds with $100k min and $2m maximum.

It is worth noting that the bug bounty is fully run by the team and not the pDAO. So these are just my two cents and not meant as a formal proposal.

Scaling payout with the potential impact is a fine thing to do, but I believe that a minimum payout of $25k for critical bugs as described here puts Rocket Pool in a comparatively bad position and I would like to see minimum increased significantly.
Scaling can go both ways. Especially in the context of making a change from fixed to scaled, increasing payout for very high impact at the same time are better optics that make it clear what the change is about.
Big payout jumps based on impact should be avoided, as they create perverse incentives for whitehats. Impact of a bug can fluctuate over time with ETH value, RPL value or factors like number of minipools in a certain state. Here, the payout would 20x if an impact goes from $240k to $260k, so there is a strong incentive for a potential whitehat to sit on a known issue until the treshold is met. Linear scaling doesn’t produce strong incentives to wait like that, because payouts are kept proportional to impact changes.

fornax · 20 May 2024 13:46

I also think we should have some early incentives for users who disclose bugs/exploits. In my opinion, only having Immunifi at the final steps of the development process is on itself a big incentive for users to sit on an exploit and wait until the bug bounty is up (which can result in big delays for the protocol).

knoshua · 20 May 2024 14:16

Agreed. If you aren’t familiar, for example code4arena or Immunefi Boosts are solutions that have been used by some protocols at an earlier stage.

langers · 21 May 2024 03:41

Thank you for doing the comparison.

My initial thoughts are that our HIGH reward is too low - we left it the same because we intend to revisit the rewards after Houston has had some time on mainnet, but with the categorisation change this probably needed adjusting now.

The linear scaling approach is interesting, and as you said, it prevents the payout jumps.

We will have an internal chat about it this week.

langers · 18 June 2024 04:44

Just an FYI - that we have not forgotten about this. We did chat internally but we did not come to a resolution.

Now that Houston is out we can focus a little more so I revist this.