DAO Bug Bounty Reimbursement Program Research

Overview

My team (PoktFund) presents to the community our research into the current state of blockchain protocol security disclosure programs and formulates an early prototype/program that the DAO could fund. As a result, this would open Pocket Core up to not only dapps developers, protocol engineers, app developers, but also security specialists to the Pocket Ecosystem. This would result in insights provided by security experts ensuring that our protocols (v0 & V1) and other middleware layers (i.e Cherry Picker and Wallet) are in line with industry standards.

This research will be broken into four sections:

  1. Motivation & Background
  2. Data Analysis
  3. Retro
  4. Next steps

Motivation & Background

Around July 27th, I discovered a critical security vulnerability to PNI, code named as Chocolate Rain alongside the assistance of PNI engineer @CrisOG . I quickly validated a PoC using a localnet and wrote a 1 to 1.5 page disclosure and sent it out to PNI which led to a swift response and acknowledgement of the issue. You can read more about the public disclosure here - RC-0.9.0: Key Changes to Pocket Network's Protocol (“Overservicing Bug”). TLDR - with the right scenarios, it allowed for catastrophic amount of POKT to be minted through this exploit, and the network would reward without verification. Thankfully, as far as I know, this has not been abused and has been patched in v0.9.0.

As someone who recently went through the security disclosure process, I noticed that while contributor guides outlines the process, the existing program did not have any incentives publicly disclosed. This prompted PNI to formulate their own security disclosure program and prompted us [as DAO participants] on how we can involve the DAO as well. We are not the only ones who have thought of this - in fact, many community members liked the idea of opening up a security disclosure program to help incentivize whitehat hackers to report security vulnerabilities.

And so, our research began with how we can push Pocket forward as being one of the most secured protocols in the world. This was created in the form of a dework community suggestion.. We also had the following guidelines in mind:

  1. POKT is still very early on, and we need to make sure our protocol is as secure as possible to ensure that a catastrophic vulnerability does not ruin the reputation of POKT. Our protocol is extremely application specific (for example, oops derp logic errors) that could cause severe damage along with general blockchain challenges - all in one. We have to remind ourselves that we’re literally building a blockchain from the ground up, and this can lead to potential mistakes that even happens with the best of best developers. This research would be the early start of something that both V0 and V1 can leverage.

  2. PNI should not be the sole entity who helps funds these bug bounty programs. Not only is this potentially financially burdening, we are building a permissionless network that should encapsulate the entire ecosystem. We have a specific treasury built for improving Pocket in the form of PEP’s, PIP’s, and PUP’s, and believe that security disclosures fit under these categories. Our research should provide data that supplements PNI’s current bug bounty program while integrating a key component of our ecosystem, the DAO.

  3. Provide a starting basis of data driven analysis to align the community on what is the median and average are for future proposers.

Data Analysis

Most of our data analysis is derived from ImmuneFi and what is publicly shown on their Next.JS frontend. All data analysis is currently open-sourced and can be viewed here.

How does ImmuneFi classify security vulnerabilities

Currently, ImmuneFi has its own vulnerability classification system, which categorizes the vulnerabilities into three different types: Blockchain/DLT, Smart Contracts, and Website & Apps. These categorizations are further broken down by the severity of the vulnerabilities, ranking them on a 5-level scale ranging from None to Critical.

You can read more about their classification system and the descriptions here.

Where does POKT fit?

In terms of how the POKT protocol fits into these categories, we believe the bucket of categories it drops into is somewhere between the Blockchain / DLT area and smart contract. While POKT may not have smart contract functionality, the entire protocol can be summarized as a contract + protocol all in one - since it is a specialized L1 Chain. While the web wallet and gateway (portal api) would fit in the website / applications category.

How current protocols are paying out

We conducted analysis on 299 different protocols and 1399 different bounties to see how current “foundations”, “protocols”, etc are incentivizing white hackers to research and disclose vulnerabilities.

category classification payout_max_average (USD) payout_max_median (USD)
- - - -
blockchain_dlt low 2416.67 1000.00
blockchain_dlt medium 10957.89 10000.00
blockchain_dlt high 60239.13 50000.00
blockchain_dlt critical 1358127.00 1000000.00
smart_contract low 1638.53 1000.00
smart_contract medium 8585.50 5000.00
smart_contract high 39023.80 20000.00
smart_contract critical 486560.19 100000.00
websites_and_applications low 1033.93 1000.00
websites_and_applications medium 2806.69 2000.00
websites_and_applications high 11327.60 5000.00
websites_and_applications critical 69488.16 19000.00

YAxis (Protocol) was excluded from this analysis due to a different data schema. Whenever normalizing the data, if there was a given range, the highest value was picked. In the event of the protocol only paying out in coins, it was converted to USD by ImmuneFi.

Some other interesting callouts from this analysis:

  1. The lowest payout sits around $100 and the largest payout sits at $10m, which has been paid out before.
  2. Ankr, who is somewhat in the same category as POKT (decentralized infra), is listed on ImmuneFi and currently offers up to a $500k reward

Retro

Now that we have a better idea of how bounties are being paid out, this level sets future reimbursement and grants ask on how much one should be awarded. This allows proposal(s) to be aligned with current market incentives and start a conversation that many folks can be aligned with - instead of rolling in the dark on how much one’s contribution should deserve.

In summary, these are the two worthwhile to note based on this research:

  1. Avoid friction. Anything proposed should supplement existing programs. PNI (the maintainers of the projects) should continue to be the main entity for handling the disclosure of security vulnerabilities - to ensure a seamless and coordinated fix. In our experience, security disclosures can spread like wildfire. As the DAO continues to evolve (as per committee conversations), then there can be some exploration in delegating some responsibilities to community members

  2. The exploit space in cryptocurrency is lucrative for both blackhat and whitehat hackers. We, as a community, need to balance that to ensure the protocol is safe from bad actors. The DAO treasury should be used to incentivize security disclosures, as long as the ask is reasonable and supported by market data as shown above.

Next steps

Here are our general suggestions - and we’d love to know what the community thinks as well:

Improving presence in the security space

  1. POKT should be enlisted in existing hacker communities such as HackerOne and ImmuneFi. From our experience in the field, we have noticed that security exploits often come from these platforms, and they have been paramount to the success of the resolution of these disclosures.

  2. There are other interesting solutions growing out there for blockchain protocols. For example, we hopped into a call a couple of months back to learn more about a decentralized bug bounty platform, https://hats.finance/. While we do not endorse nor are we associated with this protocol in any way, this revealed to us that there are even more avenues that we can look towards (with community vetting) in the future. Currently, this platform is limited to only EVM - based chains / compatible with chains that have a bridge. Though, this is just one mere example of how we can potentially see this whole process being refined in the future.

We should continue to research other sources - if possible. Furthermore, if PNI can form a BD relationship amongst these hacker communities, I’m sure they would be more than happy to help define a process with their industry experience. In fact, ImmuneFi has recently posted a forum post in regards to this and getting us enlisted.

Projects in scope of DAO reimbursement

We suggest repositories that composes the production, core pieces of POKT network are in scope for a reimbursement.

This list is subject to change based on which repositories are being used in production, i.e new Pocket Client, or V1 protocol.

Defining a process for DAO reimbursement

This was just us brainstorming of a high level roadmap/gameplan…

Phase 1 (KISS)

  1. Security Vulnerability is disclosed to PNI through email
  2. PNI triangulates, remediates, and coordinates the fix of the disclosure as usual, crediting the authors
  3. PNI awards contributors with X amount of funds.
    4. If the award does not align with market averages, then the contributor can present their case to the DAO for further reimbursement or grant

This is not too different from what we have today as a starter, except there is data present to align the proposer and community, we have defined projects in scope, and we are leveraging the DAO treasury to make the current process more attractive.

Phase 2 (Evolve)

1. Pocket partners up with top bug bounty platforms.
2. Security Vulnerability is disclosed to PNI through email and bug bounty platforms.
3. PNI triangulates, remediates, and coordinates the fix of the disclosure as usual, crediting the authors
4. PNI awards contributors with X amount of funds.
5. If the award does not align with market averages, then the contributor can present their case to the DAO for further reimbursement or grant

Phase 3 (Maturity)

1. DAO authorizes/allocates n% of its treasury to PNI to supplement the existing bug bounty program
2. Pocket partners up with top bug bounty platforms with the % of allocated funds as part of the payout structure.
3. Security Vulnerability is disclosed to PNI through email and bug bounty platforms
4. PNI triangulates, remediates, and coordinates the fix of the disclosure as usual, crediting the authors. DAO committee members (if we ever form one) can be part of this disclosure process.
5. PNI awards contributors with X amount of funds leveraging both their own funds and the DAO treasury to keep the payouts up to market rates.

Bug Bounty Allocation subject to change

Future

As Pocket continues to grow and evolve, so will our security disclosure programs and incentives. We look forward to that alongside the community’s thoughts and input!

Concerns

Using the DAO treasury to pay for security funds at ATL prices could quickly liquidate our funds.
This is a valid concern, not just for security-based proposals but all proposals. The above market data analysis is to give more color to the existing market today. We are starting the initial research and conversations, only. Ultimately, this is a bigger conversation at hand and warrants a different research thread on how we should budget, burn, and leverage our treasury during bear and bull markets.

5 Likes

I strongly support this proposal. A clear incentive model encourages good behavior on the network, and gets folks looking at our security for the right reasons.