Expanding the Bug Bounty Program and SecOps at Inverse Finance for a Secure Future

edo · March 28, 2023, 3:30pm

Summary

This proposal seeks to allocate a specific budget to strengthen Inverse Finance’s security measures by dividing the funds between two functions: engaging the services of Zellic for a comprehensive audit of FiRM in preparation for v2 and deployment on OP AND increasing payouts for the ongoing bug bounty program. This focused approach will help ensure the robustness of FiRM as we instill greater confidence in our user base and the wider DeFi community.

Background

Inverse Finance continues to make progress in strengthening its security measures and was recently praised for doing so by the DeFiSafety team. As a result of proposal #58 titled “Proposal to authorize allowance for formal audits”, we have successfully engaged reputable auditing firms and bug bounty platforms that have helped us identify and address potential vulnerabilities in FiRM and our Fed contracts during our contract review stage (and thus prior to launch). With the impending launch of new features as part of our FiRMv2 Roadmap and our expansion into Optimism, as well as the ever-evolving DeFi landscape, it’s crucial to remain vigilant and continue investing in security to ensure the long-term success and growth of our platform.

Proposal

In light of this, The Risk Working Group proposes a specific budget allocation for two key security functions: A new audit of FiRM and enhancing the existing bug bounty program. The breakdown of funds is as follows:

Onboarding Zellic (67,000 DOLA): At the discretion of the Product Working Group, we will engage the services of renown Blockchain Security firm Zellic for a comprehensive audit of FiRMv2. This engagement will last approximately three engineer work weeks and be handled a team of 2 auditors, an engagement manager (a former auditor), and overseen by Zellic’s CTO. The collaboration with Zellic is particularly strategic as it further diversified our pool of reviewers, and their meticulous approach promises to lay a robust foundation for our launch on Optimism.
Increasing Bug Bounty Program Payout (23,000 DOLA): The remaining funds will be used to increase the payout for our ongoing bug bounty program hosted on the Hats Finance platform. Our current vault size of 20,000 DOLA falls in the lower range of bounties on the platform. By offering higher rewards, we can attract more skilled security researchers to scrutinize our code, enhancing the overall security of our platform. This addition will bring our vault to hold over 43,000 DOLA.

The BBP multisig, composed of members from the Risk, Product, Treasury, and Growth Working Groups, will continue to manage the funding and disburse rewards to our partners. We intend this budget to cover the next six months, during which we anticipate launching new products and expanding our ecosystem. Any additional allowance requests will require a DAO vote.

On-Chain Actions

Set Bug Bounty Program’s DOLA Allowance to 90,000

mason · August 14, 2023, 7:40pm

In favor of this proposal, costs seem fair for scope of work described. Looking forward to learning more about FiRM v2

patb · August 16, 2023, 12:53am

Fully support this proposal. Zellic is well-regarded and builds on our Nomoi and Code4rena audit work and is essential to deploying on OP and other L2’s. Increasing the available bug bounty to numbers that are more comparable to other DeFi bug bounty programs is also a sound move for the DAO.

ratchet · August 18, 2023, 9:14pm

Full support. Security is paramount.

cryptoharry · August 28, 2023, 1:48am

Since this is a relatively large expense requested, I think it is beneficial to provide context to the current financial position of the DAO to help inform voters.

Currently, the monthly stablecoin OpEx (trailing 4-month average) is $117k.

Over the past 4 months, the stablecoin treasury has been depleted by ~$149k, equivalent to 1.27 runway months (0.31/month). This is the result of cash flow losses in the months of May, June and July.

Accounting for known future stablecoin costs (DOLA bad debt repayments), the DAO Treasury stablecoin balance stands at ~$1.194M. This is equivalent to 10.17 months of runway, below the target of 12 months.

The proposed costs:

Onboarding Zellic - 67,000 DOLA (non-recurring) - 0.57 months of runway
Increase BBP payout - 23,000 DOLA (non-recurring) - 0.20 months of runway

In total, this proposal will reduce the stablecoin runway by 0.77 months to 9.40 months (given current OpEx levels) should it pass and the requested funds be fully utilized.

karm · August 28, 2023, 4:27pm

Thank you for these insights, very helpful.

patb · August 29, 2023, 2:01pm

Know we haven’t done non-DOLA bad debt repayments since late June but if the opportunity arises in the coming months to divert profits there, I believe we should pause them until runway improves.

cryptoharry · August 29, 2023, 3:06pm

Agreed; this is the current plan. The idea is to get the runway back up to the minimum target of ~12 months before profits are partially used for non-DOLA bad debt repayments.

It should be noted that there are transactions that reduce this debt, such as repaying the debt using the DAO’s anTokens (received via the debt converter and repayer contracts), that have 0 impact on the DAO Treasury’s stablecoins; this will continue as normal. But nothing that uses stablecoin reserves.