With the announcement of Uniswap v3, the Uniswap Labs team has posted a $500,000 bug bounty program for the reporting of any bugs that can lead to the potential loss of LP funds as well as discretionary rewards for lower severity bugs.
We believe the security of v3 contracts is critical to continuing to grow the UNI ecosystem around, which is part of the stated mission of the UNI Grants Program that governance approved in Q4 2020.
The UNI Grants Program would like to double the UGP Q2 budget to $1.5M in order to match the Uniswap Labs bug bounty program with $500,000 worth of UNI from the Committee multisig. As these funds were not a part of our original proposal, we are outlining our rationale and process for its approval via a Snapshot temperature check.
Rationale:
In Q4 2020, UNI governance approved a transfer of $1.5M from treasury to the Uniswap Grants Program multisig.
Since then, the following has happened:
Separately, v3 introduces new market dynamics and customizable liquidity provisions with both increased gains and associated risk, putting more pressure to ensuring the security of v3 contracts. While several audits have been completed, there may be bugs and exploits that have been overlooked.
Given the mission of the grants program, our progress to date, and the importance of security for users funds, we believe the bounty match would be an appropriate use of funds entrusted to us.
Process:
There has not yet been a precedent set for governance decisions that do not require any code or additional actions from treasury. Therefore to approve the match, we are seeking community support through a Snapshot temperature check.
We're employing an open voting period of 7 days starting today, 03/26/21 until 04/02/21, after which UGP will act according to the majority vote!
Unlike a full governance proposal, this process is meant to be lightweight because the funds are already sitting in the UGP multisig and as such, there will be no minimum threshold for voting. Please submit your votes within the next 7 days here and let us know your thoughts on the lite-proposalTM!
With the announcement of Uniswap v3, the Uniswap Labs team has posted a $500,000 bug bounty program for the reporting of any bugs that can lead to the potential loss of LP funds as well as discretionary rewards for lower severity bugs.
We believe the security of v3 contracts is critical to continuing to grow the UNI ecosystem around, which is part of the stated mission of the UNI Grants Program that governance approved in Q4 2020.
The UNI Grants Program would like to double the UGP Q2 budget to $1.5M in order to match the Uniswap Labs bug bounty program with $500,000 worth of UNI from the Committee multisig. As these funds were not a part of our original proposal, we are outlining our rationale and process for its approval via a Snapshot temperature check.
Rationale:
In Q4 2020, UNI governance approved a transfer of $1.5M from treasury to the Uniswap Grants Program multisig.
Since then, the following has happened:
Separately, v3 introduces new market dynamics and customizable liquidity provisions with both increased gains and associated risk, putting more pressure to ensuring the security of v3 contracts. While several audits have been completed, there may be bugs and exploits that have been overlooked.
Given the mission of the grants program, our progress to date, and the importance of security for users funds, we believe the bounty match would be an appropriate use of funds entrusted to us.
Process:
There has not yet been a precedent set for governance decisions that do not require any code or additional actions from treasury. Therefore to approve the match, we are seeking community support through a Snapshot temperature check.
We're employing an open voting period of 7 days starting today, 03/26/21 until 04/02/21, after which UGP will act according to the majority vote!
Unlike a full governance proposal, this process is meant to be lightweight because the funds are already sitting in the UGP multisig and as such, there will be no minimum threshold for voting. Please submit your votes within the next 7 days here and let us know your thoughts on the lite-proposalTM!
Well yes. Now I am actualy unemploied and I am opening my own company. Until then I have plenty of time to work on your domand. So, doo tell what bug you want me to eliminate and where. It shouldn's take long if the code is not codependent to itself
Well yes. Now I am actualy unemploied and I am opening my own company. Until then I have plenty of time to work on your domand. So, doo tell what bug you want me to eliminate and where. It shouldn's take long if the code is not codependent to itself
Would the grants committee be responsible for determining what gets a bug bounty payout?
Would the grants committee be responsible for determining what gets a bug bounty payout?
Great question! We have to acknowledge our own blindspots in our technical expertise. UGP seeks to match the bounties 1:1 with the Uniswap Labs team instead of us evaluating the individual submissions.
v3 brings a lot of attention to something new both on the contracting side as well as the financial side so security is of utmost importance. Looking at past contracts and their exploits, we'd want to ensure users are as safe as can be. With UNI price having increased quite a decent amount, we wouldn't be asking for more funds, just approval from the community to spend what's already in the multisig for what we feel is quite important.
I definitely support bigger bounties - it's going to be ~$4B soon enough so we may as well do the best we can before launch.
Can I suggest that instead of a simple matching program, you expand the audience of hackers by using another platform to run a parallel program? For instance, in the launch process of Multi-Collateral Dai we had success with HackerOne (they detected a critical bug).
Can I suggest that instead of a simple matching program, you expand the audience of hackers by using another platform to run a parallel program?
yes would love to discuss! DMing you!
Would the grants committee be responsible for determining what gets a bug bounty payout?
Would the grants committee be responsible for determining what gets a bug bounty payout?
Great question! We have to acknowledge our own blindspots in our technical expertise. UGP seeks to match the bounties 1:1 with the Uniswap Labs team instead of us evaluating the individual submissions.
v3 brings a lot of attention to something new both on the contracting side as well as the financial side so security is of utmost importance. Looking at past contracts and their exploits, we'd want to ensure users are as safe as can be. With UNI price having increased quite a decent amount, we wouldn't be asking for more funds, just approval from the community to spend what's already in the multisig for what we feel is quite important.
I definitely support bigger bounties - it's going to be ~$4B soon enough so we may as well do the best we can before launch.
Can I suggest that instead of a simple matching program, you expand the audience of hackers by using another platform to run a parallel program? For instance, in the launch process of Multi-Collateral Dai we had success with HackerOne (they detected a critical bug).
Can I suggest that instead of a simple matching program, you expand the audience of hackers by using another platform to run a parallel program?
yes would love to discuss! DMing you!
I really like this idea, but I wonder how it would be implemented: Would the grants committee be responsible for determining what gets a bug bounty payout? Would the current funds be delegated to a different committee to handle issues like this?
I really like this idea, but I wonder how it would be implemented: Would the grants committee be responsible for determining what gets a bug bounty payout? Would the current funds be delegated to a different committee to handle issues like this?
