UGP v3 Bug Bounty contribution

With the announcement of Uniswap v3, the Uniswap Labs team has posted a $500,000 bug bounty program for the reporting of any bugs that can lead to the potential loss of LP funds as well as discretionary rewards for lower severity bugs.

We believe the security of v3 contracts is critical to continuing to grow the UNI ecosystem around, which is part of the stated mission of the UNI Grants Program that governance approved in Q4 2020.

The UNI Grants Program would like to double the UGP Q2 budget to $1.5M in order to match the Uniswap Labs bug bounty program with $500,000 worth of UNI from the Committee multisig. As these funds were not a part of our original proposal, we are outlining our rationale and process for its approval via a Snapshot temperature check.

Rationale:

In Q4 2020, UNI governance approved a transfer of $1.5M from treasury to the Uniswap Grants Program multisig.

Since then, the following has happened:

  • In Q1 2021, UGP has successfully funded 23 projects, deploying the targeted $750,000 worth of UNI. You can read more about the details of our Q1 grants here.
  • In Q2, UGP is on track to deploy $750,000 worth of UNI and will be updating our process to make grant approvals more frequent. Read more on our request for proposals for Q2 here.
  • The value of UNI in the multisig has grown from approximately ~$1.5M to ~$14M at the time of this writing

Separately, v3 introduces new market dynamics and customizable liquidity provisions with both increased gains and associated risk, putting more pressure to ensuring the security of v3 contracts. While several audits have been completed, there may be bugs and exploits that have been overlooked.

Given the mission of the grants program, our progress to date, and the importance of security for users funds, we believe the bounty match would be an appropriate use of funds entrusted to us.

Process:

There has not yet been a precedent set for governance decisions that do not require any code or additional actions from treasury. Therefore to approve the match, we are seeking community support through a Snapshot temperature check.

We’re employing an open voting period of 7 days starting today, 03/26/21 until 04/02/21, after which UGP will act according to the majority vote!

Unlike a full governance proposal, this process is meant to be lightweight because the funds are already sitting in the UGP multisig and as such, there will be no minimum threshold for voting. Please submit your votes within the next 7 days here and let us know your thoughts on the lite-proposalTM!

Snapshot Temp-Check

16 Likes

I really like this idea, but I wonder how it would be implemented: Would the grants committee be responsible for determining what gets a bug bounty payout? Would the current funds be delegated to a different committee to handle issues like this?

1 Like

Great question! We have to acknowledge our own blindspots in our technical expertise. UGP seeks to match the bounties 1:1 with the Uniswap Labs team instead of us evaluating the individual submissions.

v3 brings a lot of attention to something new both on the contracting side as well as the financial side so security is of utmost importance. Looking at past contracts and their exploits, we’d want to ensure users are as safe as can be. With UNI price having increased quite a decent amount, we wouldn’t be asking for more funds, just approval from the community to spend what’s already in the multisig for what we feel is quite important.

2 Likes

I definitely support bigger bounties - it’s going to be ~$4B soon enough so we may as well do the best we can before launch.

Can I suggest that instead of a simple matching program, you expand the audience of hackers by using another platform to run a parallel program? For instance, in the launch process of Multi-Collateral Dai we had success with HackerOne (they detected a critical bug).

6 Likes

yes would love to discuss! DMing you!

2 Likes

Well yes. Now I am actualy unemploied and I am opening my own company. Until then I have plenty of time to work on your domand. So, doo tell what bug you want me to eliminate and where. It shouldn’s take long if the code is not codependent to itself