We’re pleased to announce that from today, October 13th 2022, Paribus will be launching our bug bounty program on ImmuneFi. The program will apply to our MVP even while it’s on the public testnet and should help to provide additional confidence when we’re ready to launch on the mainnet.
Bug bounty programs are a crucial aspect of the ongoing maintenance and security of DeFi protocols. There are two main types of program, formal and informal.
An example of an informal bug bounty program is the identification of several security vulnerabilities in MinSwap by the WingRiders team. Some of the vulnerabilities would have allowed liquidity to be drained from all the smart contracts resulting in devastating losses.
WingRiders reached out to MinSwap to warn them of these potential vulnerabilities and requested a bounty in exchange for identifying the faults. MinSwap agreed and went into maintenance mode so they could address the issues before any bad actors had a chance to find them.
The problem with informal bug bounties such as this is that the details regarding payments are often kept private which can lead people to believe that no bounty was asked for. When it later transpired that WingRiders requested a bounty it can seem less altruistic than people originally believed.
Ethical hackers are a key part of the DeFi landscape and their expertise has helped to prevent billions of dollars of losses. As such it’s entirely appropriate that they’re rewarded for their help. For these reasons, we decided to implement a formal bug bounty program so that everyone is aware we proactively support paying for this additional layer of security.
As Deniz, our CEO explains, “Bounty campaigns and bug bounties in general are hugely beneficial for individual projects and the space entirely. Projects get to collaborate with whitehat hackers that would otherwise be difficult to find and contact. Individuals with the intention to better the space, and projects building solutions to move Web3 to the next level of adoption are aligned via these campaigns to create a safe environment for all of us.”
ImmuneFi is the leading bug bounty platform for the Web3 space and has already paid out over $60 million in bounties. As a result, they’ve prevented over $25 billion of losses due to hacks and continue to secure some of the largest names in the space.
As our regular readers know, we take security extremely seriously. In fact we’ve sometimes drawn criticism from parts of our community by taking a steady and measured approach to our development in order to prioritize protocol security.
Every step of the way we’ve ensured that our smart contracts are fully and independently audited. However, even with audits, vulnerabilities can still occur which is why it’s essential to have a robust ongoing security program such as a bug bounty.
Wilson, our COO, describes how we’re looking forward to the latest stage of our development journey, “Our bug bounty program is a fundamental aspect of securing our protocol. It is very important for our systems to be put to the test and reviewed thoroughly. I’m really excited to see the results from all of the participants and watching the code become even stronger.”
Another key benefit of initially launching Paribus on Ethereum is that there are far more bug bounty hunters for solidity than for Cardano’s native language, plutus. While we don’t disparage other projects that have been built natively on Cardano from day 1, we know how much is at stake when building a borrowing and lending platform. Our risk/reward assessments led us to Cardano via Ethereum for very good reasons, especially the ability to secure the protocol via a bounty program.
Another advantage of partnering with ImmuneFi is that the reporting process is fully integrated within our team dashboard allowing a rapid response to any potential problems. This also makes it quicker for hackers to be paid, as Simon, our CTO explains, “Reports will be made directly to us via ImmuneFi, each report must contain a code submission and a PR attempting to fix it will have to be raised. Code will be reviewed and if applicable they will be paid out by us directly in PBX.”
As we grow across multiple chains we’ll continue to expand the bug bounty program so that each new aspect of the platform is always included. Every step of the way has taken considerable time and thought. Once implemented we try our best to ensure it remains scalable across all aspects of our future growth.