[PREPROPOSAL] PoktFund 2022 LeanPOKT and Security Vulnerability Reimbursement

I agree on the need for us to figure out more quantifiable systems of assessment, but I wonder if there are effective ways to model cost around a labor calculation with a premium for innovation?

We have around 30K for a high level security exploit, and around 400K for engineering work spelled out here:

If we had an enterprise development agency billing us out at 250 an hour, this cost would equal around 1600 billable hours. So, we have a baseline for comparison there. That’s 20 full time weeks for a 2 person team, 10 full time weeks for a 4 person team. We have over 1600 commits over 10 months in the repo:

Plus document creation, ongoing support, etc.

I don’t think a pure hourly metric is necessarily the right way to go, but evaluating from that perspective does seem to put this in range, versus it being “abstract”.

8 Likes

@Jinx this very much the kind of data points that are helpful! Being methodical about looking at the contribution, the amount of effort it required, the talent of the team, and allowing the voters see the value in a way that compares to something outside of the proposal itself.

For me, this kind of value gauging helps. Much thanks :+1:

7 Likes

Yes, going to agree here. Note: I did try Shane’s value model proposal, but it felt like I was entering arbitrary and subjective values and weights to justify the ask. Interestingly enough, when I was playing around with the values, the end result was actually more than what we are asking for today. That said, I think the model is an interesting experiment - but we are going to refrain from using it for this proposal as I don’t think our team agrees with the measurement variables and weights. There are also concerns about having a level of consistency and asking amounts to prevent any looting of the DAO. This is a concern of many, however, I have full trust that the DAO is able to realize when the treasury burn is too high and come up with solutions (i.e budgets and defining burn rates) to solve them. I believe we should actively continue this conversation but not necessarily in this proposal.

There are also mentions of measurable metrics. In this thread, they already exist if you look for them. They are just in different forms(s) depending on the reader and how they value them. We go into the time frames in which this project was delivered, the GitHub repository that dictates our work, the network adoption that we sampled of LeanPOKT, and so on. Some will value time, some will value impact, and some will value lost opportunities. Heck, even some posters have expressed that we should’ve asked for more. I think all of these variables are equally important, and we should consider all of them. The percentage in which you value XYZ is ultimately going to be subjective. In the end, when you account for the timeframe, impact, expertise needed, and value of such innovation, the ask in comparison to how much the DAO currently has in its treasury is absolutely reasonable in my book. We are not draining the DAO, the treasury is not at risk, and we’re not asking for an all-time high. As a DAO voter, I do not want to be picking and auditing if the XYZ team actually spent XYZ hours or what each commit actually means. I actually lean on the side of valuing impact and dedication, but someone else might not, and that’s okay.

I like the idea of thinking in bets. And when you think about this proposal in terms of a bet, the value that our team will continue to produce will absolutely be worth it for the DAO and POKT.

4 Likes

Interesting. Always down to make it better and see where things are off balance. I agree that it doesn’t cover every scenario, but I’m interested in seeing where imbalances may be to improve it.

Could you share what you filled out?

I’m aware that the model works better for smaller and not bigger projects, but it would be helpful to see the imbalance. You could just share with me privately as well if you wanted. Just looking to improve it if possible :+1:

2 Likes

Don’t want to comment on the main subject, not my concern yet.

But since you pulled this anon out here, I hope that you read his humble reply to Sir Dermot as well :wink:

Caesar’s pride & al you see :wink:

Ok will let you go back to your noble agenda. Great job btw!

2 Likes

I think any time we see multi-million POKT requests we get a bit of sticker shock, but Lean Pocket and Chocolate Rain were two very important contributions to Pocket as an Ecosystem and Blade is one of our most important contributors who we would do well to continue to enthuse in our project.

I support this (pre-)proposal. PoktFund doing some heavy lifting.

3 Likes

Can you please share what from the LP development carries forward into v1. Even if LP itself is not needed in V1 (or is it?), IP, lessons learned, etc, may very well survive. Knowing what survives into v1 and what terminates with v0 may help in the evaluation of the proposal.

4 Likes

V1 is a complete rewrite, only learnings will be carried over. Everything from V0 is a lesson learned for V1. For example, database persistence specifications allow for n:1 processes. Though, we’re not taking credit for any of that either. I’d say the largest value add to the V1 roadmap is probably the people (i.e PoktBlade), the contributors from V0 familiar with the Pocket protocol that can provide experience to improve V1.

3 Likes

tl;dr I fully support the reimbursement of the work done here but believe the asking amount needs to be re-evaluated.

It was brought to my attention why the core protocol team left comments on the reimbursement of POKTScan’s Geo-Mesh but not here.

Most of my thoughts on the asking amount in this comment transfer over to this preproposal as well.

This asking amount will capture approximately 7% of the DAO’s treasury. Not accounting for Thunderhead’s potential reimbursement request, alongside other work the community is doing (Geomesh, branding, marketing, etc…), and given that there is no active proposal to raise the DAO’s allocation from each block (currently at 10%), my gut is telling me that the figure is simply too large.

I don’t have a good answer to what the amount should be, but I know @shane has been putting a lot of thought and effort into this.

5 Likes

Here are my two-cents for what it is worth . I posted almost identically to the PoktScan geo-mesh proposal.

  1. Evaluating funding size in terms of percentage of treasury is good. Even better, IMO, is evaluating it in terms of how much of the inflow into the treasury it represents. The nuance of difference is important, because the first method tends to promote a “lack” mentality (i.e., “once 20 funding requests of 5% of the treasury are approved, the DAO will be broke”) while the latter keeps in the forefront of the mind that the DAO treasury is more like a river flow to be managed to match inflow and outflow. Currently DAO receives approximately 2M $POKT per month. So this ask represents 3 to 4 months worth of DAO budget. (A combined PuctFund/TH ask of 10M for LP would represent 5 months worth of DAO budget). This, to me, seems like the right ballpark for an effort and an impact of this magnitude.

  2. The benefit to the project and the ecosystem of open-sourcing solutions for mutual benefit rather than keeping proprietary to self-benefit cannot be overstated. What behavior does the DAO wish to incentivize. Reimbursing to the level that tells contributors that they will be rewarded adequately for open sourcing will incentivize more of the same in the future. Reimbursing at a miserly level tells contributors that in the future they are better off keeping innovation proprietary and milking every last competitive advantage they can for themselves. To me, the former is a vastly wiser and superior course of action.

  3. Applying the “thinking in bets” idea, also results in the same conclusion. The value Poktfund has brought to the ecosystem is tremendous. This is a multi-person effort and there has to be reasonable reimbursement in order to keep the team together and contributing.

  4. Repeating myself a bit: this is a multi-person effort; some of the comments made to the effect that “we support funding but the ask is too high” are likely not taking into account this fact and instead comparing their salary or contract labor rate to this ask as if it were all going to one person. It is not.

7 Likes

I really like this principles based approach. Aligning on what is valuable, even if we don’t agree on “how much” value was created definitely moves the ball forward. I think Dermot is going to elaborate on this but just wanted to say parameters around public good, utilization across the network and benefit (especially if that benefit is to paying customers!) are some good ones to think about

4 Likes

This proposal is a no-brainer.

But is 7 million the right number? (Or whatever number ends up being requested when this pre-proposal becomes a proposal.)

PoktFund says it conducted an analysis of existing bug bounties to ensure that the asking amount for its work on Chocolate Rain was in line with current industry market levels. But we don’t know the asking amount because it’s rolled up with the asking amount for LeanPocket.

If we knew what PoktFund was seeking for Chocolate Rain, we’d know it wants for LeanPocket. Knowing this will help assess whether the number is right or not. Also, it will give needed comparison for the imminent reimbursement proposal by Thunderhead for its work on LeanPocket.

PS I’d love to know why it’s called “Chocolate Rain”

2 Likes

I asked that question above, and it was answered here:

2 Likes

Thanks for pointing that out. That fully answers my question.

The proposal should mention this breakdown for voters who may not be conversant with this thread.

1 Like

Hey everyone,

For the sake of transparency, @zataar has been reviewing our proposal to make it more concise and readable for the average reader.

EDIT:
We’ll be putting it to vote after ETHDenver to give adequate time for enough discourse and give the opportunity for many of us to meet and talk about this proposal as well. See you there!

Cheers

5 Likes

Thanks again POKTfund team for your excellent contribution (and to the Thunderhead team as well!)

Sharing a link to my recent post so that we can bring some of this thinking into the equation too

Two main points I would add in the meantime:

  1. The impact of this work should be considered as a whole, ie whatever figure we agree on as appropriate for the impact of LeanPOKT should be what is shared between both the Poktfund and Thunderhead teams (cc @addison @Sevi @pierre ) and that the contributors to LeanPOKT should tell us what the appropriate split for their work is (eg 67:33 as mentioned in some previous posts)

  2. Chocolate Rain (hilarious name lol) should be judged on its own merits using a similar analysis to how impactful it was

4 Likes

I fully recognize the importance and impact of the light client on the network. It is, IMHO, the biggest improvement to the network in 2022. I am not personally using it (we have our own implementation) but we benefitted from the idea, and so did the rest of the network. Furthermore, I appreciate the incentive they (both PoktFund and TH) have taken, and the good will to open source it eventually. Thank you team! It should be rewarded to do right by them, as well as to encourage future contributions.

That said, and with all respect, I think the ask is too much, especially considering it is for an unknown % of the work. As I said for the GeoMesh as well, it doesn’t compare favorably to what PNI has asked for the whole company (60+ people), for the foreseeable future (at least a year+), and a huge and risky undertaking (v1), which is being run completely transparently and open-sourced fashion since day one.

One more thing, in general, I am hesitant to grant funds all at once. Whatever the amount is agreed, should be distributed over time to ensure that DAO is not caught at the bottom of the market. Perhaps over 6 months, $ amount converted to POKT using the trailing 30-day average at each month.

2 Likes

Hey everyone,

An update to our proposal. Over the past ~26 days, we’ve received feedback on forums and other channels revolving around

  1. Value
  2. Unified proposal for LP

At ETH Denver, we met with PNF and TH to discuss these topics, and happy to say we’re finally ready for a proposal. The high-level modifications to the actual proposal will include:

  1. One LP proposal for both teams
  2. Adopting PNF’s proposal value model
  3. A separate proposal for CR.

Thank you!

5 Likes

Kudos to everyone involved! I think this pivot is spot on and a giant step forward. We already have a strong collaboration culture within POKT which bodes well for the future of the project and this helps cement that reality

2 Likes