Background
Security-First Approach
Over the 2-plus years that Perpetual Protocol has been live the protocol has not suffered any hacks or exploits. We attribute this to the significant emphasis and focus placed by the team on security of all funds on the platform. As a quick recap, there are currently a number of mechanisms in place to minimize risk to our users, including:
- External Audits: we work with dedicated partners who built out in depth knowledge of Uniswap V3 as well as Perpetual Protocol and can help identify any issues
- Internal Audits: the team constantly runs internal audits through peer reviews
- Bug Bounty: we work with ImmuneFi to connect with whitehat hackers on their platform to identify any potential vulnerabilities that we may have missed through our internal and external audits
This process ensures we have the most amount of eyes on the project code to discover potential vulnerabilities and patch them before they are exploited. We’re happy to say that we’ve had 25 audits from 6 different audit firms throughout the life of V1 and V2.
Additionally, through the process and focus on security we’re happy to report that we have seen 15 reports through ImmuneFi, of which 7 were potential vulnerabilities (albeit of a low likelihood and in very specific edge cases) and were patched in a quick manner.
Bug Bounty Budget
The initial unlock of tokens allocated to bug bounties has been exhausted and we need to refresh this budget.
External Audits
The team currently has regular audits scheduled frequently throughout the year that allows us to constantly ship and deploy. Regular access to auditors ensures that we also are able to discuss potential risk and attack vectors that we can mitigate.
Proposal
Overview
Similar to the MME, we propose to setup a Security Entity (SE) with the mandate of securing Perpetual Protocol as follows:
- Spinning up a new entity with a dedicated team of security engineers used for internal auditing work
- Contracting and working with external auditors
- Liaise and payout bug bounties with external white hat hackers
Independent Entity
Similar to the MME and subDAOs, we propose that the SE be a separate entity that is independent of the foundation. We expect the initial headcount for (1) to be 1 engineer. The Foundation has identified the one engineer from the existing team with the correct credentials that will move across should the vote be successful.
Budget
A budget of 5M PERP will be allocated to be used to fund the following items:
- External auditors
- Bug Bounties
- Dedicated security engineer(s)
The budget is estimated to last 30 months, subject to variations in bug bounty payout (maximum bounty is 250k USD) and PERP price.
Proposed Voting Options
Option #1 - Yes
Option #2 - Nay
Option #3 - Abstain
