Author(s): Rodrigo Vasquez, Ethereum Foundation; Jay Yu, Stanford Blockchain Club

Outline

• 0 - Quick Links

• 1 - Summary

• 2 - Motivation

• 3 - Proposal Details

• 4 - Benefits to the Uniswap Community

• 5 - Cost and Timeline

  • 5.1 - Sponsorship Tiers

  • 5.2 - Timeline and Key Dates

0 - Quick Links

• Sponsor the Ethereum Protocol Attackathon (ImmuneFi)
• Ethereum Protocol Attackathon in Collaboration with Immunefi
• EthCC - Security Soirée 2024 - Fireside Chat with Immunefi and the Ethereum Foundation (YouTube)

1 - Summary

This proposal seeks funding from the Uniswap DAO to support an Attackathon, a comprehensive security audit event designed to bolster the security of the Ethereum protocol. The Attackathon will consist of three phases: education, active code hunting, and result evaluation. The goal is to enhance the security of the Ethereum network, which in turn benefits the entire DeFi ecosystem, including Uniswap.

2 - Motivation

The Ethereum Foundation and Immunefi are introducing the first-ever “Attackathon” program, which is aimed to be the largest ever crowdsourced security audit contest conducted to augment security for the entirety of the protocol’s code.

An Attackathon is a multifaceted event involving three phases:

1. Before the Attackathon: A comprehensive education program on the protocol’s code delivered via live technical walkthroughs and Attackathon Academy content.
2. During the Attackathon: Security researchers hunt for vulnerabilities in the code based on specific rules to qualify for rewards. Only impactful reports, as specified by the rules of the Attackathon, will be rewarded.
3. After the Attackathon: Immunefi evaluates and compiles the results into an official Attackathon report, spotlighting top researchers with monetary rewards, NFT awards and a leaderboard.

Although the Ethereum Foundation has a permanent bug bounty, it does not get the awareness and eyeballs it should get on the code. While the EF Bug Bounty has existed since 2015, it typically only receives 2-3 low-medium reports per week. Therefore, we hope that through this event we can draw more skilled security professionals to audit Ethereum and blockchain projects more broadly.

Following recent large hard forks such as Dencun and Shapella, the Ethereum network has undergone significant changes, making this the ideal time to conduct an extensive security audit. Ensuring the protocol’s stability and security post-upgrade is crucial for maintaining trust and reliability.

3 - Proposal Details

This Attackathon will be held fully online. Immunefi will host the contest on their platform and triage the bug reports, and the EF Protocol Security Research Team will judge the results together with representatives from client teams.

The scope of this Attackathon program seeks to include:

• Specification Bugs:
  • Safety/finality-breaking bugs
  • Denial of service (DOS) vectors
  • Inconsistencies in assumptions, like situations where honest validators can be slashed
  • Calculation or parameter inconsistencies
• Client Bugs:
  • Spec non-compliance issues
  • Unexpected crashes, RCE or denial of service (DOS) vulnerabilities
  • Any issues causing irreparable consensus splits from the rest of the network
• Solidity Compiler Bugs
• Deposit Contract Bugs

The primary ask for the Uniswap community in supporting this project will be in funding, but any contributions to broadcast the program through socials would also be appreciated!

4 - Benefits to the Uniswap Community

Conducting the Attackathon now, following recent major hard forks of the Ethereum network, is crucial. These upgrades have brought significant changes, and a comprehensive security audit will ensure the protocol’s stability and security post-upgrade. This increased focus on security will attract significant attention to the Ethereum codebase, enhancing visibility and participation from security researchers.

For the Uniswap community, this initiative has direct benefits. Enhancing Ethereum’s security directly improves Uniswap’s reliability and trustworthiness, as Uniswap’s security is inherently tied to Ethereum’s security. A secure Ethereum fosters a confident developer community, which benefits the entire DeFi ecosystem, including Uniswap. Moreover, by including the Solidity compiler in the competition’s scope, the Attackathon will specifically address potential vulnerabilities in the primary programming language for Ethereum smart contracts, which includes those used by Uniswap. Ensuring the security of the Solidity compiler will thus directly enhance the security of Uniswap’s smart contracts.

Additionally, aligning with Ethereum’s security efforts offers cost-effective benefits. Uniswap will gain from top-tier security assessments without bearing the entire cost, ensuring a secure and robust environment for its operations. Furthermore, by upskilling security researchers now, we prepare them for future hard fork contests, enhancing the overall security readiness of the Ethereum and Uniswap ecosystems.

5 - Cost and Timeline

5.1 - Sponsorship Tiers

Unicorn Partners (+75 ETH Commitment, Approx. $250,000) (limited to two sponsors)

• 1x Unique NFT with leaderboard rank
• Participation in Attackathon Kick-off Twitter Space as a partner speaker
• Leaderboard Placement on Sponsor page
• Top-tier logo placement on Sponsor and Program Landing Page
• Top-tier logo placement on the Program Education page and program report
• Call out in Press Releases and EF and Immunefi Program Announcement Blogs
• Digital Logo Placement in the results announcement at Devcon or a dedicated virtual event
• 4x Devcon tickets
• 25% Discount on Crowd Sec offerings [transferable]
• 1x Dedicated Twitter post announcing sponsorship from Immunefi Twitter handle

Panda Partners (+30 ETH Commitment, Approx. $100,000)

• 1x Unique NFT with leaderboard rank
• Leaderboard listing on the sponsor landing page
• Mid-roll logo placement on Sponsor and Program Landing Page
• 2x Devcon tickets
• 10% Discount on Immunefi Crowd Sec offerings [Transferable]
• 1x Dedicated Twitter post announcing sponsorship from Immunefi Twitter handle

5.2 - Timeline and Key Dates

• July 8-11: EthCC program announcement
• August 8: Detailed program announcement and education kickoff.
• September 1st: Attackathon hunting begins.
• October 31st: Attackathon concludes, and results compilation begins.
• November 9-17: Results announced.

Hi! Thanks you for this proposal.

From SEED Gov we have some questions to expand on the information that has been provided in this post.

• What is the target audience? We understand that they would be advanced devs, but we would like to have certainty on your part.
• What kind of web traffic / spaces or reach do you expect to get from this initiative?
• How many applications do you expect to receive and how many applicants will be accepted into the Attackathon?
• How is the applicant selection process?

It is clear that it is a program that, by strengthening the security of Ethereum, will indirectly strengthen the security of Uniswap, but from the commercial point of view of the exposure that the protocol could achieve, and considering that it is a program aimed at advanced developers who presumably, given their specialization, already know Uniswap, we want to have these data that are important to establish whether the impact of the program and the positioning that Uniswap could achieve there justifies or not an effort as important as 75 or 30 ETH.

Thanks!

Thanks for your questions and for showing interest in our proposal!

Target Audience

We’re targeting security researchers and white hat hackers for this event. Our primary goal is to attract the most experienced SRs who want to make a difference in the Ethereum ecosystem. We’re also creating educational materials to help newer researchers learn how to participate in future Ethereum audit contests after each hard fork. These materials will equip them with skills they can use in other ecosystem audits, including those run by Uniswap.

Expected Reach and Impact

Here are some metrics from the announcement posts we made from all out and out channels:

• Views: 7 million
• Reach: 1.7 million

Application and Selection Process

The Attackathon is a bit different from a hackathon. It is a time locked security audit contest where security researchers submit bug reports that are awarded prizes based on how critical the reported vulnerability is.

For comparison, the Immunefi Attackathon on Fuel saw:

• 343 bug reports submitted
• Early judging shows at least 3 critical and 10 high-severity vulnerabilities, with more critical ones expected to be confirmed.
• 81 confirmed reports from 92 unique security researchers, including low/medium and insights.

Since this is the first-ever Ethereum audit contest, we’re expecting even more participation and buzz.

Impact and Brand Positioning

While our main focus is on boosting Ethereum’s security, this initiative also offers Uniswap a chance to strengthen its reputation. Supporting a program that enhances Ethereum’s security demonstrates Uniswap’s commitment to the broader ecosystem. This initiative will highlight Uniswap’s dedication to security and innovation, reinforcing its position as a security-focused protocol.

Thanks again for considering our proposal. We’re excited about the potential of this initiative and hope for your support.

SEED Gov has voted to abstain on the Temp Check voting. You can find our rationale here in our delegation thread.

Considering Uniswap Foundation themselves sponsor or host many of the Hackathons and already contributing to several public goods, we are concerned that this effort is a duplicate effort.

Also, considering Ethereum Foundation has been accused of not allocating enough funding for DeFi objective, we believe ironically that EF requesting funding rather than paying from their own budget seem to make the case even more clear.

We are voting strongly in against.

Echoing what StableLab has said, Blockworks Research will be voting against this proposal as Uniswap is already involved in a litany of hackathons for the good of the crypto industry. We think that this proposal would be better revisited in other DAOs instead.

he following reflects the views of L2BEAT’s governance team, composed of @kaereste and @Sinkas, and it’s based on the combined research, fact-checking, and ideation of the two.

We’re voting FOR this proposal while opting for the ‘Panda Partners’ option.

We generally support initiatives that benefit the entire ecosystem, so we’re inclined to support the proposal as we did with a similar request on Arbitrum. Therefore, we decided to vote in favor of the proposal and chose to support on the ‘Panda Partners’ level.

Gm, gm!

The results are in for the [Temp Check] - Ethereum Foundation Attackathon Sponsorship off-chain proposal.

See how the community voted and more Uniswap stats:

https://dhive.io/proposal/1352/