I summarized @Hugh and @Mitchell_Amador’s comments from the Request for Comment version of this proposal, and after taking their comments into review, I created this proposal.
Don’t agree with you on the points you’ve made in the first graph. We’re assuming three main points when we’re talking about risk:
- There may be flawed code and/or critical vulnerabilities in listed protocols
- There may be claim payouts if an exploit were to occur (dependent on claims filing, cause of exploit)
- Members will continue to buy cover from the mutual
In your analysis, I’m taking away an “all things held equal” approach in your review of the data. The Google Sheet analysis I provided was to give insight into the total value of a matching payout when compared to payouts according to 10%, 40%, and 100% of active cover.
The program allows the mutual to incentivise greater review of listed protocol code, but it doesn’t necessarily mean there will be a matching bounty payout within the near term. It’s a preventative measure to catch exploitable flaws before they can lead to a loss event.
And I do agree that risk can never be brought to zero, in any market or area in life. Risk will always remain but programs like the one we’ve started with Immunefi can minimize the mutual’s exposure to risk and strengthen relationships with listed protocols. I do see this program as a net benefit to the mutual.
As far as quantifying the impact of potential risks: the program offers matching bounty payouts for critical vulnerability disclosures, which are the sort of flaws that lead to major loss events. In theory, yes, it would significantly reduce the mutual’s exposure to risk but it cannot reduce it to zero.
Either a whitehat catches a critical vuln. before it’s exploited or a blackhat does and exploits the flaw. If the bounty is large enough, grayhats are more likely to report than exploit. I’ll defer to @Mitchell_Amador on the instance of critical vuln. disclosures though Immunefi.
For a non-hypothetical example: let’s take the Yearn critical vuln. disclosure, where we paid out $200k to the whitehat who reported the flaw.
- $200k in matching bounty payout, brought the total payout to $400k when Yearn’s original $200k is taken into account
- 2021 Historical Premiums across Yearn cover products: $936,330.11
- Matching bounty payout equivalent to 21.36% of 2021 Yearn premiums
Paying out 10% of current liabilities on Yearn (all vaults) Protocol Cover would cost $868,670.60, or 92.77% of 2021 historical premiums earned for Yearn Finance.
How do you think we could structure the program to be beneficial for the mutual? Or do you take the overall view that this program is not worth funding?