This post is for input ahead of a proposed Snapshot vote using GRO (this will include vesting GRO and locked GRO).
After receiving community feedback here and making any necessary amendments, we aim to propose a formal vote to the DAO on https://vote.gro.xyz.
Since the launch of Gro DAO token the TVL in Vault and PWRD has increased to >$40m (from ~$10m) plus there is $80m staked across Gro pools and staking contracts (plus 2m GRO in the vesting contract).
Gro has also attracted more attention. Twitter followers are 3x from pre-LBP, discord has more than 2,000 new members, and weekly app visits are up 10x.
This is exciting, and it’s great to see the world discovering more and more about Gro. However with a larger TVL, together with increased visibility, we need to keep improving security.
Last week there was a hack on CREAM which sadly cost Gro Vault users a portion of funds. CREAM is a successful protocol that has been running for over a year and with more than $1.5bn of TVL, and is based off the battle-tested Compound codebase.
Gro has had three audits so far: Peckshield, Fixed Point Solutions and Code Arena. The protocol has been live (in beta) since August 2021. There is a $60k bug bounty live with Immunefi.
Gro takes security very seriously and would like to propose to the DAO an increased bug bounty and another audit.
This is in line with the feedback from our previous community poll (and our published roadmap). As part of this proposal the ‘ownership’ of the bug bounty would transfer to the DAO (from the dev team Grwth Lbs that set up the initial $60k bounty).
We propose that:
(i) the DAO increases the Immunefi bug bounty to $1,000,000, and
(Ii) the DAO employs Trail of Bits for an audit as soon as possible.
- $1m bug bounty at Immunefi is in line with other DeFi protocols such as Tracer, Tokemak, Rari and Perpetual
- The full bounty would only be paid for potential serious exploits of the protocol, which could cause a loss of user funds.
- Bounty would be structured as payment of 10% of the potential exploit (capped at $1m): so an exploit worth $10m or more would need to be found to pay the full amount.
- If this situation were to occur we believe the DAO would be happy to pay out $1m to prevent an exploit.
- Trail of Bits have been hired to provide smart contract reviews by DeFi protocols including Balancer, Uniswap, Tokemak, Yearn, Frax and many more
- A Trail of Bits audit will be a rigorous examination of Gro’s smart contracts, and provide additional reassurance to future users - encouraging more TVL into Gro.
- Trail of Bits have already audited a new Gro strategy (being launched soon), and there is a positive working relationship with them.
- The cost would be ~$320k and the value to Gro of avoiding a potential exploit is significantly higher than this (both user funds and future reputation/value)
- In addition, the DAO is well capitalised after the LBP and this is affordable.
We are determined to keep strengthening Gro protocol’s security and consider these are two important next steps here.
Please add your suggestions, objections and support in the comments below. Let’s get governing