Bug Bounty Program for Governance and Treasury Contracts

Hey everyone! Andrew from the Drips team here. I wanted to share a proposal idea that I’ve been discussing with some others from the community.

As background, the Drips team has been working with Immunefi over the last month to craft a bug bounty program to cover the Drips smart contracts and the Drips Webapp. We expect this program to launch in the next week or two and we’re excited to share more details about it with the community soon.

As part of building the program, one question that came up for discussion is whether the Radworks governance smart contract code should be covered as part of the bug bounty program. Even though Radworks is separate from Drips, the argument for considering doing this is that the Radworks DAO contract does have governance upgrade control over the Drips contracts deployed on Ethereum mainnet. This means that if the Radworks contracts are somehow compromised, the security of the Drips contracts could potentially also be impacted.

On the other hand, the argument against including these contracts is that the Radworks smart contracts are really separate from the Drips project and that therefore the security of these contracts should really be managed (and funded) by the Radworks community as a whole as a separate concern. Based on all of the folks I’ve chatted with, the majority seemed to take this second view.

With that in mind, I’m starting a discussion here about the idea of a Radworks community proposal to create an Immunefi bug bounty program covering the Radworks smart contracts. I actually don’t have details on the full list of contracts that should be covered and I also know that an upgrade is already underway based on a recent proposal that I believe will upgrade at least some of the contracts from Compound to OpenZeppelin. But maybe someone who has worked on them would be so kind as to share links or a description of the specific contracts that would be covered by such a program (@igor @abbey @shelb_ee @cloudhead).

On the other hand, I am now very familiar with the process of working with Immunefi and am connected to the Immunefi team and would be happy to answer any questions that the community may have, or try to see if someone from Immunefi would be willing to join the discussion here.

Looking forward to hearing your thoughts!

Thanks for moving the conversation to the forum @andrewd! And thanks for proposing the idea! The topic of bug bounties has come up multiple times in different conversations, so will be nice to finally hash it out here.

I have asked @bendi from Scopelift (the team handling our governance contract upgrade) to weigh in on this particular discussion as he has the governance/smart contract expertise to point out any potential risks/benefits of exploring this idea.