MIP40c3-SP#: 42 Author(s): @travinimmunefi Contributors: @psychonaut Tags: core-unit, cu-si-001, budget, dai-budget Status: RFC Date Applied: 2021-10-06 Date Ratified: <yyyy-mm-dd>
MIP40c3-SP42 adds the DAI budget for Core Unit IS-001: Immunefi Security.
MIP40c3-SP42 adds the budget for Core Unit IS-001: Immunefi Security. It contains:
- Total Budget Cap: The hard limit voted on by Governance
- First-month forecast: The actual first month estimated expenses
- Regular monthly forecast
Based on the nature of the work done by the Immunefi Security Core Unit, the budget reflects the needs of the team to ensure continuity of the work described in our MIP39c2. This is summarized in, but not limited to:
- Identification of critical infrastructure and people
- Initial triaging service for the upcoming bug bounty program
- Incidence response set up and facilitation
- Educational content creation around security
- General security advisory
- On-call security advisory
The budget is designed with the following in mind:
- Operational costs to run the core unit and perform its tasks
- Operational costs of third parties contracted
- Legal expenses
- Having a buffer for unexpected legal, technical, or financial problems
Therefore, a vote to ratify this MIP means MKR holders make a commitment to:
- Funding an initial 6 month budget for IS-001
- A continuous funding model based on the SES top-up mechanism
We will be asking for a Total Budget Cap spanning a 6-month runway, the amount of which is currently TBD.
The budget cap will differ from the actual expenses of the core unit. The cap refers to the maximum that the core unit can request for operating and it includes room for unforeseen circumstances.
|Facilitator||$2 083.33||$6 250+|
|Deputy Facilitator||$10 000||$30 000|
|Immunefi||$10 000||$30 000|
|ChainSecurity||$10 000||$30 000|
|DeFi Safety||$5 000 (one-time)||$10 000 (one-time)|
|Software and Infrastructure Expenses||TBD||TBD|
|Company Setup (1st year)||$2200 (year)||$2200 (year)|
|+ Contigency Buffer (15%)||TBD||TBD|
Providing additional detail with regards to the above line items:
Though listed as an individual, the compensation will be provided directly to Immunefi, pending MIP41c4-SPXX. All costs are only inclusive of all work done by the Facilitator. The quote provided assumes the maximum amount of hours, on a yearly basis, but has been evenly distributed per month.
The Deputy Facilitator will work a minimum of 24 hours per week, increasing the number of hours as necessary as well as having a planned increase to a full-time role as the Core Unit progresses. Like the Facilitator, all costs are only inclusive of all work done by the Deputy Facilitator.
Immunefi - https://immunefi.com
In addition to the contributions of the Facilitator, Immunefi will also provide professional services including, but not limited to:
- Initial triaging of bug reports
- Content creation
- General ecosystem security content
- Core unit focused security content
- Security advisory services
- Office hours support
- On-call security advisory
- Incidence response facilitation support
The provision of Operational Security Services will be covered under a separate budget proposal.
ChainSecurity - https://chainsecurity.com
The company, which provides software audits for the MakerDAO smart contracts, will provide final triaging services for smart contract bug reports as well as provide technical assistance during incident response. The quote provided is the maximum estimated amount required assuming a combination of regular working hours as well as emergency response hours. However, it is not expected that this would be used maximally each month.
DeFi Safety - https://defisafety.com
The company, which provides security scoring for DeFi projects, as well as provides recommendations to projects to increase their security levels, will provide assistance with the identification of critical infrastructure and people and incident response preparedness. The monthly quote provided is a one-time fee for a set amount of hours for general work to be provided by DeFi safety as detailed in the Core Unit proposal which may extend beyond the first month if not consumed. The quarterly amount is including the first month of the set amount of hours purchased but with an additional batch of hours assuming that more will be needed. If more will not be needed, for any reason, it will not be required.
The company’s contribution to the Operational Security Services will be covered under a separate budget proposal.
These expenses will include, but will not be strictly limited to, the setup and maintenance of:
- Secure communications channels for sensitive discussions
- General communications tools for office hours, general updates, etc.
- Backups and/or primary hosting for identified critical infrastructure
- Internal organizational tools
These expenses will also include the provision of a premium testing environment for bug bounty hunters.
Fees include all legal and administrative expenses for the creation and maintenance of the Immunefi Security Core Unit entity as a limited liability company for one year.
Within the first 5 days of each month, IS will submit a Monthly Budget Statement to the signers of the Auditors Wallet with the following sections:
- Budget Forecast - The amount of Dai that is required to maintain a 3 month operational runway.
- Previous Month Actuals - The actual expenses (DAI and MKR) of the month that just ended
- MKR Vesting Overview - a schedule of the expected MKR vesting amounts for the current team configuration, grouped by the pay-out month.
- Transaction Amounts
- The required DAI amount for the Operational Wallet to replenish the 3 month operational runway
- Any excess DAI amount that will be returned to the Auditors Wallet