Migrate Moonwell's Bug Bounty Program Provider from Immunefi to Code4rena

coolhorsegirl · November 12, 2024, 8:46am

Proposal Summary

This proposal seeks approval from the Moonwell community to replace our current bug bounty provider, Immunefi, with Code4rena. The goal is to improve the quality and effectiveness of Moonwell’s bug bounty program, reduce low-value submissions, and leverage a more robust process to better protect the protocol and its users.

Context & Background

Moonwell has been using Immunefi as its primary bug bounty provider since early 2022. While Immunefi offers a wide network of security researchers, Moonwell contributors have consistently received lower-quality submissions, primarily focusing on informational findings that do not present tangible risks to the protocol. This has led to unnecessary administrative overhead, with the majority of reports either being irrelevant or not impactful enough to justify significant payouts.

To address these challenges, I would like to propose transitioning to Code4rena, a bug bounty program that focuses on higher quality submissions. Moonwell’s new bug bounty program with Code4rena would retain its maximum bounty payout of $250,000.

Rationale for the Change

Higher Quality Submissions:
- Code4rena’s approach emphasizes quality over quantity, focusing exclusively on Critical and High severity vulnerabilities with mandatory runnable Proof of Concepts (PoCs)
- The platform maintains strict criteria for what constitutes Critical and High severity issues, ensuring only impactful vulnerabilities are reported
- With Code4rena, the Moonwell community can focus on incentivizing high and critical severity vulnerabilities, significantly reducing noise from low-value submissions
Robust Judging Process:
- Code4rena provides a comprehensive appeals process with independent judges when needed
- Sponsors have 7 days to review and assess submissions, with clear guidelines for assessment
- Wardens can appeal sponsor decisions through a structured process with independent judges
Clear Scope Definition:
- Code4rena enforces strict scope boundaries, explicitly excluding common non-issues like best practices, feature requests, and basic economic attacks
- The platform has clear definitions of what constitutes Critical and High severity issues, helping reduce disputes
More Flexible and Transparent Payouts:
- Code4rena offers transparent pricing for bounties that can be adjusted based on the Moonwell community’s budget and needs
- The platform includes provisions for delayed fixes, ensuring wardens are fairly compensated even if fixes are implemented later
- Payment terms are clearly defined based on timing of fix implementation
Efficient Resource Utilization:
- By focusing only on Critical and High severity issues, Moonwell contributing teams can concentrate on addressing substantial vulnerabilities
- The clear scope and severity definitions help reduce time spent on assessing low-impact submissions

Proposal Details

Current Provider: Immunefi
Proposed Provider: Code4rena
Key Changes:
- Replace Immunefi with Code4rena for Moonwell’s bug bounty program.
- Focus on high and critical severity vulnerabilities, with discretionary tips for informational findings.
- Leverage Code4rena’s impartial judges for severity assessments.

Voting Options

For: Replace Immunefi with Code4rena as Moonwell’s bug bounty provider.
Against: Retain Immunefi as Moonwell’s bug bounty provider.

Topic		Replies	Views
Cross-Reward Campaign: Incentivizing security-conscious users within Moonwell ecosystem with QA points program Proposals base	0	98	May 22, 2024
MIP-54 Rebalancing of Moonbeam Token Liquidity Incentives Moonwell Improvement Proposal mip , moonbeam	0	285	June 8, 2023
[MIP-10] Re-balancing of WELL Token Liquidity Incentives Archive moonbeam	4	1028	December 3, 2022
Proposal to Reduce the Proposal Reward from 100,000 WELL to 10,000 WELL Idea moonriver , moonbeam	8	577	April 26, 2023
MIP-14: A post mortem Community Proposal moonriver	0	541	January 6, 2023