Summary
This proposal aims to formalize an ongoing budget meant to compensate third party auditors performing reviews of both legacy code and upcoming products.
Background
Following the April 2nd and June 16th incidents, Inverse Finance has identified and enacted ways to improve our security posture both technically and in regards to our internal product development processes. While we are satisfied with early results of this new process, we know more than most that bugs are an inevitable part of developing new software products.
Today, Inverse relies on internal and volunteer members of the DAO for software development and QA; however, our internal quality assurance processes should also include a way to leverage the skills/resources from contributors who specialize in looking for security-related bugs. The prospect of a formal audit has created divisions in our DAO in the past and, while recent exploits to DeFi protocols audited by reputable firms have drawn skepticism by the greater Crypto audience, we believe it is imperative to onboard whitehat code testers and auditing firms alike in order to have Inverse’s smart contracts and other code thoroughly tested for security and other vulnerabilities. We believe this is an integral part to our renewed smart contract review process, and that it will inspire much needed confidence in our DAO as we unveil a new line of products in the coming weeks and months.
Proposal
After a period of research and introductions into several qualified auditing firms and bug bounty platforms, we would like to move forward with establishing a formal working relationship with a selection (read: one or possibly more) of the following names:
- Audit: Zellic, Hacxyz, Code4Rena, DeFiMoon
- Bug Bounty: Code4Rena, Hats Finance, ImmuneFi
These protocols and firms have been vetted by our Risk Working Group and Product Working Group, and the compensation/payment structures to onboard and retain their services has been approved by our Treasury Working Group. We now address the DAO to authorize this path going forward.
A 4 of 5 multi-sig address (BBP multisig) composed of members of the RWG, PWG, TWG, and GWG will be tasked with managing funding and dispersing rewards to our new partners. This multisig has an allowance of $30,000 DOLA, remnants from funds issued in the approval of GovMills Proposals #17, and #32.
After a period of research and introductions into several qualified auditing firms and bug bounty platforms, we would like to move forward with establishing a formal working relationship with a selection (read: one or possibly more) of the following names:
Audit: Zellic, Hacxyz, Code4Rena, DeFiMoon
Bug Bounty: Code4Rena, Hats Finance, ImmuneFi
These protocols and firms have been vetted by our Risk Working Group and Product Working Group, and the compensation/payment structures to onboard and retain their services has been approved by our Treasury Working Group. We now address the DAO to authorize this path going forward.
A 4 of 5 multi-sig address (BBP multisig) composed of members of the RWG, PWG, TWG, and GWG will be tasked with managing funding and dispersing rewards to our new partners. This multisig has an allowance of $30,000 DOLA, remnants from funds issued in the approval of GovMills Proposals #17, and #32.
We ask permission to spend these funds, as well as issue an additional 30,000 DOLA to the multisig’s allowance for a total of 60,000 DOLA. We also ask that the DAO grant the multisig an allowance of 100 INV so that we may compensate aligned protocols and encourage them to get involved in our governance process.
This budget is intended to cover forthcoming major product releases. Any new allowance issued to the multisig, irrespective of scope, will have to go through a DAO vote.
On-Chain Actions:
Set Bug Bounty Program’s DOLA Allowance to 30,000
Set Bug Bounty Program’s INV Allowance to 100