Reviewing treasury expenditures | Immunefi matching bug bounty program

Governance Discussions Nexus Mutual DAO Proposals
1

Since the matching bug bounty program has been active for over a year, it’s now time for members to review and evaluate whether or not the mutual should continue funding this program.

In this post, I’ll review the cost of the Immunefi matching bug bounty program to date, the projected costs, and the impact on Nexus Treasury holdings.

Overview

In August 2021, members voted to launch a matching bug bounty program with Immunefi–the leading bug bounty platform for smart contracts and DeFi projects. Members initially earmarked $200k in funding for the program, which officially launched in September 2021.

The first matching bug bounty was paid out in March 2022, and members reviewed the matching program with Immunefi. After a detailed discussion, members decided to adjust the terms of the program, set new guidelines for payouts, and increase funding for the program. In April 2022, members earmarked $600k for the matching program.

Question for members

These bounties are paid out in wNXM, and since wNXM trades below book value, these payouts have a larger impact on DAO treasury funding. The bear market has impacted the value of funds held in the DAO treasury since the renewal proposal was first passed.

The goals of the renewed, expanded program were to:

  1. Increase the value of bug bounties (e.g., have listed protocols increase their bug bounties offered on Immunefi).
  2. Reduce risk for the mutual, hedge against potential claim events.
  3. Drive more listed protocols to use Immunefi to manage their bug bounty programs.

This program has been active for more than 1 year, and the protocols with the most active cover (i.e., Curve, Convex, Aave, Liquity, Uniswap, etc.) still manage their own bug bounties. Through our program, members have provided two matching bounties for critical vulnerabilities.

The existing funding for this program represents more than 14% of the current value of the treasury and the exact figures are included further in this post.

Members should discuss and decide if we should continue funding this matching program or if we should reduce or discontinue funding for the program.

Cost to date

For the past two responsible disclosures, the mutual has paid out 8,834 wNXM.

Projected cost

There is still $550k in funding earmarked for this matching program. At today’s wNXM price ($16.77), this is equal to ~32,797 wNXM (14.77% of current remaining unallocated treasury).

Nexus Treasury holdings

Nexus Treasury 11 October 2022
Nexus Treasury 11 October 2022998×1465 124 KB

  1. Members voted to allocate wNXM acquired through buyback in Dec 2021 and January 2022 in the following Snapshot vote.
  2. LDO assets will be used to conduct a wNXM buyback according to the outcome of the following Snapshot vote.
  3. Funding that is currently earmarked for programs, grants.

Matching bug bounty payouts

Past proposals, votes

Members can review the past forum discussions and associated Snapshot votes below:

Review and discussion period

This proposal will be open for discussion and review for the next ten (10) days. Members can share their thoughts, analysis, and comments below.

Once the community has weighed in and there’s a general consensus, this discussion will be transitioned to a Snapshot vote to determine whether or not this program will be continued.

2

Definitely think it’s worth rethinking :

  1. $550k doesn’t have the same value now vs when it was first approved
  2. Incentives make sense in a bull market but in a bear market, building with/keeping these resources makes more sense
3 Likes
3

First of all, thanks to @BraveNewDeFi for bringing up this very important matter to the future of the Mutual.

Second, thank you for the quick recap. A short review of our partnership reveals that it has been effective in driving it’s desired outcome, namely driving security of covered protocols in a cost-effective and value-driven manner. I trust it demonstrates to the community our commitment to aligning with the long term success of the Mutual.

The question at hand here is whether the program should be continued, given the state of the current treasury. My thoughts as follows:

  • The current program is designed to be economically cost-effective, despite market conditions, by connecting potential payouts to $ in purchased cover. Consequently, if a protocol is covered by the program, it is because it is within the Mutual’s economic interest for it to be so.

  • The bounties paid out concerned definite funds at risk that could have resulted in claims. Concerning these, the matching program was admirably and efficiently performing its function. Retrospectively, we should consider the matching program to have been a success.

  • I don’t agree with our colleague @Gauthier that these incentives don’t make sense in a bear market (indeed, the whole program was designed to be agnostic to market conditions and value-driven). But I do agree with him that that building/keeping resources can make more sense, if higher ROI initiatives are known. We should always be considering how best to allocate capital to achieve the Mutual’s mission. My further thoughts on this:

  • The priority always needs to be in protecting its treasury and future success. It doesn’t matter if bug bounty matching is worth the money if there is insufficient money to pay for those bounties, or if those payments reduce funding available to higher ROI initiatives. In our analysis, we must always prioritize the long term success of the Mutual by allocating capital to the highest ROI initiatives.

  • Immunefi strives always to support its partners toward their greatest long term success. Win-win is in our DNA.

Consequently, if the Mutual feels that tokens from the Matching Program can be better allocated elsewhere, we are proud to support that (in either downsizing or pausing the matching program as a whole) even if it comes at the expense of our own interests.

We can always re-activate the initiative at a later date when there are more resources available (such as when tokens appreciate due to continuing growth of the Mutual), should higher ROI projects need to be funded today. The opportunity for this should become apparent as the treasury grows.

As always, we look to build with and support our partners for the long term, and Nexus Mutual has proven itself to be a loyal and worthy partner. Regardless of what’s decided here, we at Immunefi have been proud to make our minor contribution to the Mutual’s success, and we look forward to working together with the Nexus Mutual and community at large more in the time to come.

3 Likes
4

Thanks for putting this together. I agree partly to both of the above commentators: 1.) we need to rethink funds allocation but 2.) security remains most important for the mutual.

Cause earmarked funds are not really expenses as long as the bounties are not payed I am not too much worried about it.
But a reduction in bug bounty amount might be possible without too much loss of security cause same amount in US$ can be regarded worth more as in bull market as people value assets relative to each other.

The absolute amount that seems appropriate is however something I don’t feel comfortable to judge about.

1 Like
5

This topic was automatically closed after 7 days. New replies are no longer allowed.

6
7

An update:

This proposal will transition to a Snapshot vote on Monday (24 October). Based on the discussion to date, the leading choices for the vote will tentatively be:

  • Option A: Continue with existing program. Matching bug bounties for critical vulnerabilities with $550k in funding allocated for this program. Learn more about the details in the Nexus Mutual docs.
  • Option B: Discontinue funding for the program. End the matching program and deallocate the existing $550k in funding.

You can still share your comments before this goes to vote. If you haven’t commented, please share your thoughts!

1 Like
8

Agree would strongly favor either discontinuing or radically reducing it. Imo the protocols themselves should incentivize bug bounties not nexus mutual.

1 Like
9

This proposal has been transitioned to a Snapshot vote to determine if members would like to continue funding the Immunefi matching bug bounty program.

After an open comment, review period of more than one week, the choices presented in the Snapshot vote are:

  • Option A: Continue with existing program. Matching bug bounties for critical vulnerabilities with $550k in funding allocated for this program.
  • Option B: Discontinue funding for the program. End the matching program and deallocate the existing $550k in funding.

Members can vote to signal their support for continuing this program or for ending this program.

You can vote on the Snapshot proposal from 24 October at 10am EST / 2pm UTC until 29 October at 10am EST / 2pm UTC.

1 Like
10

This Snapshot vote has closed, and members voted with 96.79% in support of discontinuing funding for the Immunefi matching bug bounty program going forward.

Per the choices outlined in the Snapshot vote and the proposal, members have signalled that they would like to reduce DAO treasury spending on this partnership at this time.

For more information, you can review the Snapshot vote: Should members continue funding the Immunefi matching bug bounty program?

1 Like
11

This topic was automatically closed after 40 days. New replies are no longer allowed.

12
13

This topic was automatically closed after 169 days. New replies are no longer allowed.