Gro

PROPOSAL SUMMARY

If executed, this proposal will:

1. Transfer ownership of the Immunefi bug bounty program for Gro protocol from Grwth Lbs Ltd to the Gro DAO
2. Increase the Immunefi bug bounty to $1,000,000
3. Employ Trail of Bits for an audit as soon as possible

BACKGROUND

Since the launch of the Gro DAO token (GRO) the TVL in Vault and PWRD has increased to >$40m (from ~$10m) plus there is $80m staked across Gro pools and staking contracts (and 2m GRO in the vesting contract).

Gro has also attracted more attention. Twitter followers are 3x from pre-LBP, discord has more than 2,000 new members, and weekly app visits are up 10x.

This is exciting, and it’s great to see the world discovering more and more about Gro. However with a larger TVL, together with increased visibility, we need to keep improving security.

Last week there was a hack on CREAM which sadly cost Gro Vault users a portion of funds. CREAM is a successful protocol that has been running for over a year and with more than $1.5bn of TVL, and is based off of the battle-tested Compound codebase.

Gro has had three audits so far: Peckshield, Fixed Point Solutions and Code Arena. The protocol has been live (in beta) since August 2021. There is a $60k bug bounty live with Immunefi.

PROPOSAL

Gro takes security very seriously and would like to propose to the DAO an increased bug bounty and another audit by Trail of Bits as first steps in our continuous efforts to continually enhance Gro’s security.

This is in line with the feedback from our previous community poll and our published roadmap. As part of this proposal the ‘ownership’ of the bug bounty would transfer to the DAO (from the dev team Grwth Lbs that set up the initial $60k bounty).

We propose that: (i) the DAO increases the Immunefi bug bounty to $1,000,000, and (Ii) the DAO employs Trail of Bits for an audit as soon as possible.

$1m is the new standard for top DeFi protocols

• $1m bug bounty at Immunefi is in line with other DeFi protocols such as Tracer, Tokemak, Rari and Perpetual.
• The full bounty would only be paid for potential serious exploits of the protocol, which could cause a loss of user funds.
• Bounty would be structured as payment of 10% of the potential exploit (capped at $1m): so an exploit worth $10m or more would need to be found to pay the full amount.
• If this situation were to occur we believe the DAO would be happy to pay out $1m to prevent an exploit.

Trail of Bits are one of the best auditors in DeFi

• Trail of Bits have been hired to provide smart contract reviews by DeFi protocols including Balancer, Uniswap, Tokemak, Yearn, Frax and many more.
• A Trail of Bits audit will be a rigorous examination of Gro’s smart contracts, and provide additional reassurance to future users - encouraging more TVL into Gro.
• Trail of Bits have already audited a new Gro strategy (being launched soon), and there is a positive working relationship with them.
• The cost would be ~$320k and the value to Gro of avoiding a potential exploit is significantly higher than this (both user funds and future reputation/value).
• In addition, the DAO is well capitalised after the LBP and this is affordable.

HOW WAS THIS PROPOSAL DISCUSSED?

This proposal was put together by early contributors behind the Gro protocol with valuable inputs from the Gro DAO.

It has been shared and discussed in the Gro governance forum: https://community.gro.xyz/t/vote-3-security/151

REFERENCES

• Gro protocol’s bounty on Immunefi: https://immunefi.com/bounty/gro/
• Trail of Bits: https://www.trailofbits.com/