Since the matching bug bounty program has been active for over a year, it’s now time for members to review and evaluate whether or not the mutual should continue funding this program.
In this post, I’ll review the cost of the Immunefi matching bug bounty program to date, the projected costs, and the impact on Nexus Treasury holdings.
In August 2021, members voted to launch a matching bug bounty program with Immunefi–the leading bug bounty platform for smart contracts and DeFi projects. Members initially earmarked $200k in funding for the program, which officially launched in September 2021.
The first matching bug bounty was paid out in March 2022, and members reviewed the matching program with Immunefi. After a detailed discussion, members decided to adjust the terms of the program, set new guidelines for payouts, and increase funding for the program. In April 2022, members earmarked $600k for the matching program.
Question for members
These bounties are paid out in wNXM, and since wNXM trades below book value, these payouts have a larger impact on DAO treasury funding. The bear market has impacted the value of funds held in the DAO treasury since the renewal proposal was first passed.
The goals of the renewed, expanded program were to:
- Increase the value of bug bounties (e.g., have listed protocols increase their bug bounties offered on Immunefi).
- Reduce risk for the mutual, hedge against potential claim events.
- Drive more listed protocols to use Immunefi to manage their bug bounty programs.
This program has been active for more than 1 year, and the protocols with the most active cover (i.e., Curve, Convex, Aave, Liquity, Uniswap, etc.) still manage their own bug bounties. Through our program, members have provided two matching bounties for critical vulnerabilities.
The existing funding for this program represents more than 14% of the current value of the treasury and the exact figures are included further in this post.
Members should discuss and decide if we should continue funding this matching program or if we should reduce or discontinue funding for the program.
Cost to date
For the past two responsible disclosures, the mutual has paid out 8,834 wNXM.
There is still $550k in funding earmarked for this matching program. At today’s wNXM price ($16.77), this is equal to ~32,797 wNXM (14.77% of current remaining unallocated treasury).
Nexus Treasury holdings
- Members voted to allocate wNXM acquired through buyback in Dec 2021 and January 2022 in the following Snapshot vote.
- LDO assets will be used to conduct a wNXM buyback according to the outcome of the following Snapshot vote.
- Funding that is currently earmarked for programs, grants.
Matching bug bounty payouts
In March 2022, a whitehat earned $200k in funding provided by Nexus Mutual through this program for responsibly disclosing a critical vulnerability in Yearn Finance’s smart contract system. This incident is reviewed in the Nexus Mutual documentation.
In July 2022, a whitehat earned $50k in funding provided by Nexus Mutual through this program for responsibly disclosing a critical vulnerability in Synthetix smart contract system. This incident is reviewed in the Nexus Mutual documentation.
Past proposals, votes
Members can review the past forum discussions and associated Snapshot votes below:
- Nexus Mutual Community Fund <> Immunefi Matching Program Partnership
- Snapshot: Should we invest 2500 NXM into a bug bounty matching program with ImmuneFi?
- Immunefi Matching Program Launch
- Immunefi Matching Bug Bounty Program Review | Request for Comment (RFC)
- Immunefi Matching Bug Bounty Proposal
- Snapshot: Should we renew the Immunefi Matching Bug Bounty Program w/ $600k in total funding?
Review and discussion period
This proposal will be open for discussion and review for the next ten (10) days. Members can share their thoughts, analysis, and comments below.
Once the community has weighed in and there’s a general consensus, this discussion will be transitioned to a Snapshot vote to determine whether or not this program will be continued.