B.Protocol <> Immunefi Bug Bounty Program Launch

Edit: The Bug Bounty Program is live on Immunefi -

+++++++++++

Immunefi became one of the leading platforms in DeFi for concentrating and incentivizing white-hat hackers to disclose bugs in DeFi protocols via bug bounty programs.

We have gone through the Immunefi onboarding process with their team and submitted a bug bounty program for B.Protocol according to their guidelines in order to maintain the highest security levels of the protocol.

The program will be released tomorrow (July 14th) and includes bounties of up to $100k for critical bugs as they are classified by Immunefi. The critical bugs bounties are to be paid out mostly in BPRO tokens, and are capped by 50k BPRO.

As no funds should be locked in advance, we propose the DAO to bring it up for a vote in the near future to secure 50k BPRO tokens in a dedicated fund to be used for Immunefi’s bounties payouts if and when necessary.

The Immunefi bug bounty program will replace the existing bug bounties that were published on B.Protocol Medium blog.

We will “officially” announce the bug bounty once it goes live.

3 Likes

Hi everyone, this is Mitchell Amador from Immunefi. Here’s a quick background on us, for those of you who haven’t heard of us before:

Immunefi is DeFi’s leading bug bounty system, protecting 100+ projects (like Nexus Mutual, Yearn Finance, Sushiswap, and Lido) and $25+ billion in user funds. Immunefi’s hacker community is the largest and most active in DeFi, and together we have prevented over $1 billion in potential exploits and processed thousands of bug reports.

If anyone has questions about what we do and how we operate, just ask here. We’re pretty excited to do our part to protect B.Protocol.

2 Likes

This sounds great as a security measure. I’ll ask some basic questions.

As of right now, there is $100k coverage, but no $100k to take from (in the form of BPRO)? That is, until DAO votes through a fund…? I see you mention a cap, but the 50k BPRO seems missing from the page, where $100k USD is the working figure.

What is the process of disclosure? I skimmed the “How it works”, but I’m left wondering about some things. From my understanding disclosure is done indirectly to B.Protocol. That is, the report is to Immunefi, and then they do a “check”, before potentially escalating to B.Protocol. Is this correct?

Who has control of the funds dedicated to the security bug bounty?

How are the payouts made? I’m guessing either the project or Immunefi categorizes the threat level, and then the funds are transferred from the fund owner to the white hats chosen address?

2 Likes

Thanks for the questions!

As of right now, there is $100k coverage, but no $100k to take from (in the form of BPRO)? That is, until DAO votes through a fund…? I see you mention a cap, but the 50k BPRO seems missing from the page, where $100k USD is the working figure.

From our understanding, the payouts are being sourced from the dev funds for now.

With regards to the 50k BPro, it’s stated above the reward table

" Payouts are handled by the BProtocol team directly and are denominated in USD. Payouts are done in USDC or DAI for payouts up to USD 10 000 and BPRO/stablecoin mix (90%/10%) for all other critical payouts, capped by up to 50 000 BPRO."

What is the process of disclosure? I skimmed the “How it works”, but I’m left wondering about some things. From my understanding disclosure is done indirectly to B.Protocol. That is, the report is to Immunefi, and then they do a “check”, before potentially escalating to B.Protocol. Is this correct?

The bug report is first disclosed to us, and we apply light filtering to see if the report is legitimate. Sometimes we get some people submitting junk reports, and we don’t want our clients wasting their time on them, so we just discard them and deal with the reporters ourselves. If it looks like something legitimate, we escalate them right away to B.Protocol.

So yes, you got it right :smiley:

Who has control of the funds dedicated to the security bug bounty?

The B.Protocol team. There are no deposits required to Immunefi.

How are the payouts made? I’m guessing either the project or Immunefi categorizes the threat level, and then the funds are transferred from the fund owner to the white hats chosen address?

The bug reporter categorizes the threat level, and then during the light filtering portion, we refer to the Immunefi Vulnerability Severity Classification System, which is mentioned in the B.Protocol bug bounty program as well, to reclassify as needed. If the B.Protocol team finds that the impact actually could’ve been lower or higher, it’s recategorized.

The payment to the bug bounty hunter is then done by the B.Protocol team directly. In the future once this moves to a DAO, the DAO could pay the bug bounty hunter directly.

2 Likes

True. This is why I suggested the DAO to vote in the near future on this:

Might be a good idea to mesh it together with the coming votes the community will probably have soon on the next incentive programs, as it might help to gain more attention from community members.