Vote 3: Security

Snapshot vote 3: Security

This post is for input ahead of a proposed Snapshot vote using GRO (this will include vesting GRO and locked GRO).

After receiving community feedback here and making any necessary amendments, we aim to propose a formal vote to the DAO on https://vote.gro.xyz.

Background

Since the launch of Gro DAO token the TVL in Vault and PWRD has increased to >$40m (from ~$10m) plus there is $80m staked across Gro pools and staking contracts (plus 2m GRO in the vesting contract).

Gro has also attracted more attention. Twitter followers are 3x from pre-LBP, discord has more than 2,000 new members, and weekly app visits are up 10x.

This is exciting, and it’s great to see the world discovering more and more about Gro. However with a larger TVL, together with increased visibility, we need to keep improving security.

Last week there was a hack on CREAM which sadly cost Gro Vault users a portion of funds. CREAM is a successful protocol that has been running for over a year and with more than $1.5bn of TVL, and is based off the battle-tested Compound codebase.

Gro has had three audits so far: Peckshield, Fixed Point Solutions and Code Arena. The protocol has been live (in beta) since August 2021. There is a $60k bug bounty live with Immunefi.

Proposal to increase bug bounty and book in audit with Trail of Bits

Gro takes security very seriously and would like to propose to the DAO an increased bug bounty and another audit.

This is in line with the feedback from our previous community poll (and our published roadmap). As part of this proposal the ‘ownership’ of the bug bounty would transfer to the DAO (from the dev team Grwth Lbs that set up the initial $60k bounty).

We propose that:

(i) the DAO increases the Immunefi bug bounty to $1,000,000, and

(Ii) the DAO employs Trail of Bits for an audit as soon as possible.

$1m is the new standard for top DeFi protocols

  • $1m bug bounty at Immunefi is in line with other DeFi protocols such as Tracer, Tokemak, Rari and Perpetual
  • The full bounty would only be paid for potential serious exploits of the protocol, which could cause a loss of user funds.
  • Bounty would be structured as payment of 10% of the potential exploit (capped at $1m): so an exploit worth $10m or more would need to be found to pay the full amount.
  • If this situation were to occur we believe the DAO would be happy to pay out $1m to prevent an exploit.

Trail of Bits are one of the best auditors in DeFi

  • Trail of Bits have been hired to provide smart contract reviews by DeFi protocols including Balancer, Uniswap, Tokemak, Yearn, Frax and many more
  • A Trail of Bits audit will be a rigorous examination of Gro’s smart contracts, and provide additional reassurance to future users - encouraging more TVL into Gro.
  • Trail of Bits have already audited a new Gro strategy (being launched soon), and there is a positive working relationship with them.
  • The cost would be ~$320k and the value to Gro of avoiding a potential exploit is significantly higher than this (both user funds and future reputation/value)
  • In addition, the DAO is well capitalised after the LBP and this is affordable.

Summary

We are determined to keep strengthening Gro protocol’s security and consider these are two important next steps here.

Please add your suggestions, objections and support in the comments below. Let’s get governing :purple_heart:

11 Likes

I support this, especially after recent exploits.

3 Likes

Thanks for this - I support it - security is of highest importance. The bug bounty seems reasonable being a % of the exploit value; whilst the cost of the ToB audit seems high to me (a layman), I assume is the market rate.

2 Likes

Just wondering on the accounting, where would the funds exactly be coming from? Is it a portion of GRO, treasury, or elsewhere?

3 Likes

Will vote in favour of this.

But here are a few questions for the team.

My intent is to ask the questions that ping in my mind with the hope that they help the entire community better understand the proposal and thinking behind it.

  • Are there differences in the services offered by our audit partners. If they offer similar security audit services, what would be the marginal benefit from inviting more auditors?

  • Is security audit a continuing effort i.e. annually?

Coming from a non-technical background, these are the questions on the back of my mind.

5 Likes

On your second bullet point, personally would like audits to be done regularly, possibly even have a pre-planned schedule of audits (which can also act as marketing to potential users of the protocol).

3 Likes

I support. Voting Yes.

2 Likes

In the blockchain world, nothing is more important than security. I totally agree with your approach. At the same time, I think that security audit is not an act of once or twice, but a work that needs to be carried out on a regular basis.

2 Likes

Thanks @figo and @chocoblocko I completely agree that one isn’t enough.

This is one more line of defence out of many, but we should continue to book in audits on a regular basis.

So hopefully ToB is the 4th out of many more.

1 Like

Hey @Slacking , this would be a DAO vote and so funds would come from DAO treasury. The treasury is well capitalised with USDC right now so the proposal would be to come out of that (rather than GRO).

1 Like

ToB are not cheap but they are also arguably the strongest DeFi auditor around. They are also very well known in the space which builds trust further.

Gro has ambitions to be a $1bn TVL protocol, so the cost vs the funds we expect to be at risk is reasonable.

1 Like

Hey @Tudou thanks for the questions.

  • Different auditors will come at the code base with different experiences and approaches, so we think further audits are worthwhile on a continuous basis
  • Yes exactly, this is an ongoing effort. Ideally with differing auditors to get a broad range of minds thinking about security here.

Hope that answers!

1 Like

Maybe we could adjust the audit piece (ii) to be for a larger amount allowing for ongoing hiring of audit partners. I.e. Including this ToB ask but not limited to them and just this one engagement? E.g Allocate 500k or $1m for audits over the next x months?

5 Likes

I like this idea - would like to update the snapshot vote to include this

1 Like

This proposal has been moved to a Snapshot vote. Anyone who has any form of GRO (held in wallet, in a pool, staking, vesting) would be able to vote :ballot_box_with_check:

Voting will start on Saturday Nov 6, 2021 at 4:25 PM UTC and last for 72 hours till Tuesday 4:25 PM UTC. This will be the first of many steps we take to enhance security of the Gro protocol :safety_vest:

https://vote.gro.xyz/#/proposal/0x15126e9584299a9751e1d4d7d8fcc248ca54499aa7679305e353a325fc957e58

2 Likes