Moonwell

Proposal Summary

This proposal seeks approval from the Moonwell community to replace our current bug bounty provider, Immunefi, with Code4rena. The goal is to improve the quality and effectiveness of Moonwell’s bug bounty program, reduce low-value submissions, and leverage a more robust process to better protect the protocol and its users.

Context & Background

Moonwell has been using Immunefi as its primary bug bounty provider since early 2022. While Immunefi offers a wide network of security researchers, Moonwell contributors have consistently received lower-quality submissions, primarily focusing on informational findings that do not present tangible risks to the protocol. This has led to unnecessary administrative overhead, with the majority of reports either being irrelevant or not impactful enough to justify significant payouts.

To address these challenges, I would like to propose transitioning to Code4rena, a bug bounty program that focuses on higher quality submissions. Moonwell’s new bug bounty program with Code4rena would retain its maximum bounty payout of $250,000.

Rationale for the Change

1. Higher Quality Submissions:

   • Code4rena’s approach emphasizes quality over quantity, focusing exclusively on Critical and High severity vulnerabilities with mandatory runnable Proof of Concepts (PoCs)
   • The platform maintains strict criteria for what constitutes Critical and High severity issues, ensuring only impactful vulnerabilities are reported
   • With Code4rena, the Moonwell community can focus on incentivizing high and critical severity vulnerabilities, significantly reducing noise from low-value submissions

2. Robust Judging Process:

   • Code4rena provides a comprehensive appeals process with independent judges when needed
   • Sponsors have 7 days to review and assess submissions, with clear guidelines for assessment
   • Wardens can appeal sponsor decisions through a structured process with independent judges

3. Clear Scope Definition:

   • Code4rena enforces strict scope boundaries, explicitly excluding common non-issues like best practices, feature requests, and basic economic attacks
   • The platform has clear definitions of what constitutes Critical and High severity issues, helping reduce disputes

4. More Flexible and Transparent Payouts:

   • Code4rena offers transparent pricing for bounties that can be adjusted based on the Moonwell community’s budget and needs
   • The platform includes provisions for delayed fixes, ensuring wardens are fairly compensated even if fixes are implemented later
   • Payment terms are clearly defined based on timing of fix implementation

5. Efficient Resource Utilization:

   • By focusing only on Critical and High severity issues, Moonwell contributing teams can concentrate on addressing substantial vulnerabilities
   • The clear scope and severity definitions help reduce time spent on assessing low-impact submissions

Proposal Details

• Current Provider: Immunefi
• Proposed Provider: Code4rena
• Key Changes:
  • Replace Immunefi with Code4rena for Moonwell’s bug bounty program.
  • Focus on high and critical severity vulnerabilities, with discretionary tips for informational findings.
  • Leverage Code4rena’s impartial judges for severity assessments.

Voting Options

• For: Replace Immunefi with Code4rena as Moonwell’s bug bounty provider.
• Against: Retain Immunefi as Moonwell’s bug bounty provider.