Compound

Summary

After working closely with many of Compound DAO’s delegates, Immunefi is working with PGov to bring our proposal to an onchain vote to further develop the existing bug bounty program for Compound and to host it on Immunefi’s platform. Our platform will provide access to industry-leading security researchers and will provide a greater long-term security that benefits Compound and its community.

During the development of the public proposals, we focused on providing a thorough bug bounty program while structuring the backend details such as the creation of the bounty program, deciding on the program administrators, the features of the subscription packaging, bug report reviews, and the validation and payment processes.

More details can be found in the two public proposals below:

First Proposal

Second Proposal/Update (includes scope of Compound’s bug bounty program)

Reward Structure and Fee

The bug bounty reward breakdown for the severity payout to the security researchers is as follows:

• Critical: $50,000 - $1,000,000
• High: $10,000 - $50,000
• Medium: $5,000
• Low: $1,000

This breakdown is based on our current client roster along with Compound’s position in the rankings of CMC, Coingecko, and DefiLlama. The program will be able to payout the reward in COMP. The reward suggestion above is based on the top tier DeFi lending protocol on our platform such as Sky (formerly MakerDAO), Sparks, AAVE, and Morpho.

Immunefi’s annual subscription fee is $57,500, which includes the highest tier Managed Triage Services, access to Safe Harbor, 30 KYCs for security researchers, the program design, and hosting of the program. The highest tier of Managed Triage Services was requested by the bounty program administrators as a result of the preliminary technical assessment of every report that the Immunefi team provides before it is prepared and delivered to the administrators for validity of a bug report.

Program Administrators, Bug Report Review, and Bug Fixes

All Bug Reports that pass through Immunefi will be reviewed by OpenZeppelin, Dmitry, and Arr00, with Compound Labs as secondary eyes if a conclusion cannot be reached. If necessary, the Immunefi meditation team will also be able to assist in mediating issues arising from the review of the bug report with the security researchers.

Though Immunefi considers any processes around fixing bug reports to be outside the consideration of payments, it is understood that this needs to be accounted for in a DAO environment. Specifically, fixes may take more time to be implemented, and need to be fully deployed before payouts can be made due to the need for the payment process to be more transparent with DAO processes. For example, if a payout process is initiated while a bug still has not been fixed, it may provide enough information for one or more people to find the vulnerability and exploit it. Because of this, payments to the security researcher may be delayed until a discovered bug has been appropriately addressed.

Budget:

$57,500 for ImmuneFi will be sent to: 0x7119f398b6c06095c6e8964c1f58e7c1baa79e18

$500,000 for the Bug Bounty will be sent to: 0x429D01a5ff7f7880081f858B50C26452255477f5. This multisig is controlled by the reviewers and governance working group. The remaining $500,000 budgeted will only be sent if this first half is exhausted.