Back to Big Spender
Executed

#353 POLKADOT <> KUSAMA BRIDGE SECURITY BOUNTY

Proposer:
VinceCorsica_KSM
 
in Democracy
1st Mar '24

Proponent: Fy6erZmPp78ZY2cN945FU9KnKdATmxvG2eB9a1kh2VX33xz

Date: 01.03.2024

Requested KSM: $250,000 (5102 KSM - based on EMA7 March 1st 2024)

Short description:

Bridges enable transferring data, assets, and more between multiple chains. Due to their pivotal role and high transaction volumes, they have simultaneously become a hotspot for malicious activities. When exploited, these breaches can lead to significant impact including financial losses.

This proposal aims to ensure the utmost security of the bridges and promote community involvement by implementing a Security Bug Bounty Program. While all developers involved work hard to ensure the software and protocols built are bug-free, secure by design, and third-party code audits have been already performed, it is recognised security best practices to complement this. That’s why Polkadot and Kusama need community and bug bounty hunters to help to identify security vulnerabilities that could cause impact from all the severity levels before it is widely used and adopted.

To support this, the Bug Bounty participants are provided with many context details in the full proposal attached, including a threat model of the scope.

As a security vulnerability in the bridge can impact both the source and destination blockchains, a mirror bounty is raised on Kusama and Polkadot

Thanks for your time and support to make Polkadot more secure !

Show More

Proposal Passed

of 3

Summary
Passed
100.0%Aye
AyeNay
0.0%Nay
Ayes(174)
259.39K KSM
Nays(9)
53.47 KSM
Support
67.24K KSM
Issuance
15.92M KSM
Voting Details
Approval0.00%Threshold0.00%
Support0.00%Threshold0.00%
Please Log In to comment
Users are saying...
Based on all comments and replies

Overall 16 % of users are feeling optimistic. I am enthusiastically supporting this initiative, eagerly anticipating an elaborate plan regarding the selection of expert curators for the proposed reward system. It's exciting to see who among them will rise to the occasion and contribute their expertise.

Overall 83 % of users are feeling neutral. Professional audits have been conducted on the Polkadot & Kusama bridge at different stages by SRLabs. The bounty will be administered by a group of curators with expertise in security, bridges, and the ecosystem. There are likely to be around 10 people involved organized into seven groups.

AI-generated from comments

6Comments
0%
0%
67%
33%
0%
GqC3...m8Jj
 
 
1st Mar '24

Voted Aye

I'm voting in favor of this with the expectation of a more detailed proposal on the curators for this bounty. Looking forward to seeing which experts will step up for this!

Hide replies
Fy6e...33xz
 
 
7th Mar '24

@Adam_Clay_Steeber 

Thanks for your support. Regarding the curators, the child bounty will be posted just after, without doing too much spoiler it will be composed of 7 groups with people with security experience, with bridge experience and from the ecosystem. Stay tuned ;-)

FDL9...finf
 
 
2nd Mar '24

This bridge is absolutely needed for the Polkadot ecosystem as it makes two networks maturer in terms of being useful. However, bridges are usually happen to be the most fragile gear in a system; hence, an exhaustive security assessment is must have. Bug bounty program is a natural way to engage auditors, so @Fy6e...33xz let's move forward with this initiative.

I vote YES for this proposal.

J9Fd...oJQa
 
 
4th Mar '24

Voted Aye

Have there been any professional audits conducted on the Polkadot <> Kusama bridge? 

Who is adminstering the bounty?

Are there identified people with the relevant experience in the ecosystem that are happy to spend time working on this?

Hide replies
Fy6e...33xz
 
 
7th Mar '24

@Ivy 

Thanks for your questions,

  • Yes it has been already audited professionally at different occasions, however security is a continuous process. So to complement reviews during the development phase and before release/launch having BugBounty has demonstrated being very beneficial in Web2 and Web3 industry.
  • The bounty will be administer by a group of curators which will bring different type of expertise including security, bridge and of the ecosystem. There are likely to be +10 people involved organised in 7 groups.
J9Fd...oJQa
 
 
8th Mar '24

@VinceCorsica_KSM 

Can you please share the audit reports?

Who are the proposed curators?

dashboard profile icon
swb
 
 
8th Mar '24

@Ivy 

Thank you for the follow-up question. Please note that the scope has already been audited by SRLabs in several different audits at different stages.

Before the monorepo transition, the scope was:

After the monorepo transition, where the audited code resides today:

Additionally, the audit letter from SRLabs with its details will be shared next week. Thank you for your patience and support.

dashboard profile icon
swb
 
 
15th Mar '24

@Ivy 

As mentioned last week, the audit letter is available to review here.

GqPD...ikoV
 
 
6th Mar '24

Who are behind this proposal? Why no identity? Why the same proposal on Polkadot? Please clarify situation. I vote NAY for now. Who are going to manage this bounty?

Hide replies
Fy6e...33xz
 
 
9th Mar '24

@AlexPromoTeam

Thanks for the support and having updated your vote following clarification on Element Direction channel. For all readers:

  • In fact there are 2 bounties, one in Polkadot and one in Kusama because it is a bridge between the 2. For a total budget of $500K.
  • The bounty will be administer by a group of curators which will bring different type of expertise including security, bridge and of the ecosystem. There are likely to be +10 people involved organised in 7 groups from HydraDX, Centrifuge, Parity Security, Parity Bridge teams, Snowfork and Alzymologist
  • Now my identity on Kusama and on Polkadot should both marked verified Thanks again
FyfK...wBcT
 
 
7th Mar '24

Voted Aye

Aye From me !

FSnm...rSTb
 
 
13th Mar '24

[Deleted]


Discover similar proposals


#508
KSM

Remove Gabe from the fellowship

Members of the Fellowship Collective involved in projects flagged by the OG tracker should provide a proper explanation, return the funds to the Treasury, or face expulsion.

See More

24th Mar '25

Fellowship Admin

Fellowship Admin

#508 Remove Gabe from the fellowship
KSM
24th Mar '25

Members of the Fellowship Collective involved in projects flagged by the OG tracker should provide a proper explanation, return the funds to the Treasury, or face expulsion.

Invarch failed to provide the first two, so Gabe, a founding member of the team, does not meet the ethical standards required to have a voice in the Fellowship.

TENETS (extract from the fellowship manifesto)

"Members are expected to faithfully uphold the following tenets.
Clarifications to the rules should be in agreement with these tenets. Acting in clear breach of these tenets may be considered by voters as grounds for non-promotion, demotion or, in extreme cases, exclusion from the Fellowship.


(1) Sincerely uphold the interests of Polkadot and avoid actions which clearly work against it.
(2) Respect the philosophy and principles of Polkadot.
(3) Respect the operational procedures, norms and voting conventions of the Fellowship.
(4) Respect your fellow Members and the wider community"

See More

#509
Jay Chrawnna
Deciding

KSM RFP #1 - Shielded Kusama Hub Transfers - $50k Total Prize!

See More

24th Mar '25
73%

Treasurer

Treasurer

#509 KSM RFP #1 - Shielded Kusama Hub Transfers - $50k Total Prize!
Jay Chrawnna
24th Mar '25
73%

This RFP was adapted over several weeks on AAG to turn a treasury proposal in discussion to an RFP with refined scope and oversight.

To apply for the prize pls fill out this form.  


Prize Pool: $43,000
Finder’s Fee: $2,000 **
Supervisors: $5,000

Supervisors (Bounty Curators)

  • Flipchan
  • Byte (Erin)
  • James Slusser

Excess or unused funds will be returned to the treasury by Bounty Curators.

Timeline

Monday, March 17 - AAG Discussion & this forum post! ✅
Monday, March 24 - Single-ref Bounty + Curators ✅
4 Weeks after Bounty Funding - Submission Deadline Thursday
July 31 - Project Completion (Pending Kusama Hub Launch)

Project Scope

Smart Contract Development

  • A Solidity-based smart contract deployed on Kusama Hub
  • ZK enabled for private deposits & withdrawals
  • Compatibility with all Kusama Hub assets

User Interface

  • Browser-based, mobile-ready UI hosted on IPFS
  • Support for: Deposits, Withdrawals, Transfers, XCM Transfers
  • Compatible with popular ecosystem wallets (Nova Wallet, Talisman, Subwallet)

Anti-correlation Attack Mitigations:

  • Fixed deposit amounts (e.g. 1, 10, 100, 1000 units)
  • Batch payouts for withdrawals to multiple users
    Interoperability
  • Ability to receive assets via XCM from any Kusama-connected parachain and transfer them to Kusama Hub for use in shielded pool.

Open-Source Delivery

  • All code (smart contracts and UI) published under the MIT license
  • Publicly accessible repositories Project updates shared transparently via Polkassembly, Subsquare, or Polkadot Forum from Team with Milestone deliveries
  • Developer & User documentation

Milestones

Milestone 1, Initial Pools & Basic UI:
$16,200 USD
1 month

  1. Tests - Smart contract test
  2. Smart contract - ZK shielded smart contract with KSM and multi asset support on Westend or Paseo
  3. Basic UI - A basic UI for interacting with the smart contract

Milestone 2, UI + XCM:
$9,900
1 month

  1. Tests - tests for all features
  2. User interface design - UI design
  3. XCM transfers - XCM transfer assets in UI
  4. Fixed amount transfer only - Allow fixed amount transfers in the UI

Milestone 3, Mainnet Deployment:
$16,900
1 - 1.5 months

  1. Contract Migration to Kusama Assethub - Migrate contract from Testnet to Kusama Hub
  2. Public documentation - Documentation for using Kusama shield and developer integration documentation
  3. Test - tests for contract
  4. V1 UI - User tested & something we can be proud of

** re: Finder’s Fee: this payment is set aside to incentivize a broad search for the right implementor. Finder’s Fees are paid out at time of team engagement. Teams that submit themselves can collect their own Finder’s Fee at completion of project.

See More

Deciding
#510
KSM

Secure Funds

To prevent potential mismanagement of Youdle DAO treasury funds, we propose temporarily transferring these assets to the Kusama Treasury, which is now the safest option.

See More

4 days ago

Root

Root

#510 Secure Funds
KSM
4 days ago

To prevent potential mismanagement of Youdle DAO treasury funds, we propose temporarily transferring these assets to the Kusama Treasury, which is now the safest option.

Rationale:

The Invarch team, which currently controls the funds, has a history of questionable financial decisions, including the transfer of more than 200K ASTAR from the DAO to a CEX without transparency.

Community members have raised concerns and asked questions about fund management, but the team has not provided clear answers.

To ensure responsible management, these remaining funds (400 KSM) should be safeguarded under Kusama governance.

Next Steps:

The funds will later be returned to Youdle DAO holders through a transparent and verifiable process.

 

We urge the community to support this measure to protect DAO resources.

 

Evidence:

Rug on virtuals

image.png


image.png

 

Polkadot treasury rugs

image.png

 

Youdle DAO rug

Moving DAO funds to a CEX because it's a shared address instead of moving to another on chain address? No answers. 

image.pngimage.png

image.png

Pink rug

Pink distributed by the pink team to invarch was supposed to get distributed to the community

image.png

but instead 2000000 pink were allocated to xcastronaut (invarch founder) wallet

image.png

image.png

Then went to hydration and got sold.

VARCH rug

$VARCH token launched less than 30 days ago. ICO investors are down -96%
image.png


KSM partial rug

Not fully delivered. 

image.png

Tinkernet rug

Tinkernet (kusama parachain) was shutdown. Investors were given 4 VARCH for 1 TINKER. VARCH was later a rug so this converts Tinkernet in a rug. Before shuting down they made an LBP in Osmosis (Cosmos) which also was a rug. 



See More