Executed

#353 POLKADOT <> KUSAMA BRIDGE SECURITY BOUNTY

Proposer:

VinceCorsica_KSM

in Democracy

1st Mar '24

Description

AI Summary

Votes Bubble

Timeline

Evaluation

On Chain Info

Stats

Proponent: Fy6erZmPp78ZY2cN945FU9KnKdATmxvG2eB9a1kh2VX33xz

Date: 01.03.2024

Requested KSM: $250,000 (5102 KSM - based on EMA7 March 1st 2024)

Short description:

Bridges enable transferring data, assets, and more between multiple chains. Due to their pivotal role and high transaction volumes, they have simultaneously become a hotspot for malicious activities. When exploited, these breaches can lead to significant impact including financial losses.

This proposal aims to ensure the utmost security of the bridges and promote community involvement by implementing a Security Bug Bounty Program. While all developers involved work hard to ensure the software and protocols built are bug-free, secure by design, and third-party code audits have been already performed, it is recognised security best practices to complement this. That’s why Polkadot and Kusama need community and bug bounty hunters to help to identify security vulnerabilities that could cause impact from all the severity levels before it is widely used and adopted.

To support this, the Bug Bounty participants are provided with many context details in the full proposal attached, including a threat model of the scope.

As a security vulnerability in the bridge can impact both the source and destination blockchains, a mirror bounty is raised on Kusama and Polkadot

Thanks for your time and support to make Polkadot more secure !

Users are saying...

Based on all comments and replies

Overall 16 % of users are feeling optimistic. I am enthusiastically supporting this initiative, eagerly anticipating an elaborate plan regarding the selection of expert curators for the proposed reward system. It's exciting to see who among them will rise to the occasion and contribute their expertise.

Overall 83 % of users are feeling neutral. Professional audits have been conducted on the Polkadot & Kusama bridge at different stages by SRLabs. The bounty will be administered by a group of curators with expertise in security, bridges, and the ecosystem. There are likely to be around 10 people involved organized into seven groups.

AI-generated from comments

GqC3...m8Jj

1st Mar '24

Voted Aye

I'm voting in favor of this with the expectation of a more detailed proposal on the curators for this bounty. Looking forward to seeing which experts will step up for this!

Hide replies

Fy6e...33xz

7th Mar '24

@Adam_Clay_Steeber

Thanks for your support. Regarding the curators, the child bounty will be posted just after, without doing too much spoiler it will be composed of 7 groups with people with security experience, with bridge experience and from the ecosystem. Stay tuned ;-)

FDL9...finf

2nd Mar '24

This bridge is absolutely needed for the Polkadot ecosystem as it makes two networks maturer in terms of being useful. However, bridges are usually happen to be the most fragile gear in a system; hence, an exhaustive security assessment is must have. Bug bounty program is a natural way to engage auditors, so @Fy6e...33xz let's move forward with this initiative.

I vote YES for this proposal.

J9Fd...oJQa

4th Mar '24

Voted Aye

Have there been any professional audits conducted on the Polkadot <> Kusama bridge?

Who is adminstering the bounty?

Are there identified people with the relevant experience in the ecosystem that are happy to spend time working on this?

Hide replies

Fy6e...33xz

7th Mar '24

@Ivy

Thanks for your questions,

Yes it has been already audited professionally at different occasions, however security is a continuous process. So to complement reviews during the development phase and before release/launch having BugBounty has demonstrated being very beneficial in Web2 and Web3 industry.
The bounty will be administer by a group of curators which will bring different type of expertise including security, bridge and of the ecosystem. There are likely to be +10 people involved organised in 7 groups.

J9Fd...oJQa

8th Mar '24

@VinceCorsica_KSM

Can you please share the audit reports?

Who are the proposed curators?

swb

8th Mar '24

@Ivy

Thank you for the follow-up question. Please note that the scope has already been audited by SRLabs in several different audits at different stages.

Before the monorepo transition, the scope was:

After the monorepo transition, where the audited code resides today:

Additionally, the audit letter from SRLabs with its details will be shared next week. Thank you for your patience and support.

swb

15th Mar '24

@Ivy

As mentioned last week, the audit letter is available to review here.

GqPD...ikoV

6th Mar '24

Who are behind this proposal? Why no identity? Why the same proposal on Polkadot? Please clarify situation. I vote NAY for now. Who are going to manage this bounty?

Hide replies

Fy6e...33xz

9th Mar '24

@AlexPromoTeam

Thanks for the support and having updated your vote following clarification on Element Direction channel. For all readers:

In fact there are 2 bounties, one in Polkadot and one in Kusama because it is a bridge between the 2. For a total budget of $500K.
The bounty will be administer by a group of curators which will bring different type of expertise including security, bridge and of the ecosystem. There are likely to be +10 people involved organised in 7 groups from HydraDX, Centrifuge, Parity Security, Parity Bridge teams, Snowfork and Alzymologist
Now my identity on Kusama and on Polkadot should both marked verified Thanks again