MIP40c3-SP42: Adding Immunefi Security Core Unit Budget - IS-001

MIP40c3-SP42: Immunefi Security Core Unit Budget - IS-001

Preamble

MIP40c3-SP#: 42
Author(s): @travinimmunefi
Contributors: @psychonaut
Tags: core-unit, cu-is-001, budget, dai-budget
Status: Accepted
Date Applied: 2021-10-06
Date Ratified: 2021-11-22
Ratification Poll URL: https://vote.makerdao.com/polling/QmSbiSTX?network=mainnet
Forum URL: https://forum.makerdao.com/t/mip40c3-sp42-adding-immunefi-security-core-unit-budget-is-001/10813/11

Sentence Summary

MIP40c3-SP42 adds the DAI budget for Core Unit IS-001: Immunefi Security.

Paragraph Summary

MIP40c3-SP42 adds the budget for Core Unit IS-001: Immunefi Security. It contains:

  • Total Budget Cap: The hard limit voted on by Governance
  • First-month forecast: The actual first month estimated expenses
  • Regular monthly forecast

Specification

Motivation

Based on the nature of the work done by the Immunefi Security Core Unit, the budget reflects the needs of the team to ensure continuity of the work described in our MIP39c2. This is summarized in, but not limited to:

  • Identification of critical infrastructure and people
  • Initial triaging service for the upcoming bug bounty program
  • Incidence response set up and facilitation
  • Educational content creation around security
  • General security advisory
  • On-call security advisory

Core Unit ID

IS-001

Budget Implementation

The budget is designed with the following in mind:

  • Operational costs to run the core unit and perform its tasks
  • Operational costs of third parties contracted
  • Legal expenses
  • Having a buffer for unexpected legal, technical, or financial problems
    Therefore, a vote to ratify this MIP means MKR holders make a commitment to:
  • Funding an initial 6 month budget for IS-001
  • A continuous funding model based on the SES top-up mechanism

Team Summary

Team members Amount
Facilitator 1
Deputy Facilitator 1
Team Total 2

External Team Summary

Budget Cap Breakdown

Dai Expenditure

We will be asking for a Total Budget Cap spanning 12-months, the amount of which is currently $634,972.45.

The budget cap will differ from the actual expenses of the core unit. The cap refers to the maximum that the core unit can request for operating and it includes room for unforeseen circumstances.

Wallets

IS Auditors Wallet (2:3)

  • Controlled by the IS Auditors
  • Address: 0xd1F2eEf8576736C1EbA36920B957cd2aF07280F4
  • Signers:
    • SES Accounting (1:2, 0xA2A855Ac8D2a92e8A5a437690875261535c8320C)
    • SES Auditing (1:2, 0xB2da57e224949acDDe173a5b8A8160c023ea86e6)
    • Maker Protocol (MCD_PAUSE_PROXY, 0xBE8E3e3618f7474F8cB1d074A26afFef007E98FB)

IS Operational Wallet (2:3)

  • Controlled by the IS Core Unit team
  • Address: 0x124c759D1084E67B19a206ab85c4527Fab26c342
  • Signers:
    • 0x2BC5fFc5De1a83a9e4cDDfA138bAEd516D70414b
    • 0xAcAf835934eE40E0d5ee3F941E283499F8Ad97eD
    • 0xFfC87601A80d3e4F0aF083a899e3fee203C23cF0

IS Operational Wallet (2:3)

  • Controlled by the IS Core Unit team
  • Address: 0x124c759D1084E67B19a206ab85c4527Fab26c342
  • Signers:
    • 0x2BC5fFc5De1a83a9e4cDDfA138bAEd516D70414b
    • 0xAcAf835934eE40E0d5ee3F941E283499F8Ad97eD
    • 0xFfC87601A80d3e4F0aF083a899e3fee203C23cF0

Transaction Amounts

The initial seed transaction covers the contingency buffers for the core unit:

  • Three months of regular expenses: $122,187.50
  • The yearly and one-time costs included in the budget: $2,530 + $70,725 = $73,255
  • Total for three months of runway: $122,187.50 + $73,255 = $195,442.50

The streaming transaction covers ongoing activity for the core unit:

  • Total remaining costs for 12 months: $122,187.50 x 3 = $366,562.50

Transactions

195,442.5 DAI will be transferred to 0xd1F2eEf8576736C1EbA36920B957cd2aF07280F4 on 2021-12-01

A total of 366,562.5 DAI will be streamed to 0xd1F2eEf8576736C1EbA36920B957cd2aF07280F4 starting 2021-12-01 and ending 2022-08-01

Budget Breakdown

Summary Monthly Cost Quarterly
Facilitator $2,083.33 $6,250
Deputy Facilitator $10,000 $30,000
Immunefi $10,000 $30,000
ChainSecurity $10,000 $30,000
DeFi Safety n/a $10,000
Total $32,083.33 $106,250
+ Contigency Buffer (15%) $36,895.83 $122,187.50

Yearly Expenses

Item Cost
Company Setup (1st year) $2,200
Total $2,200
+ Contigency Buffer (15%) $2,530

One-time Expenses - Software and Infrastructure

Item Cost
Hardware and Software Expenses $7,500
ChaosLabs $54,000
Total $61,500
+ Contigency Buffer (15%) $70,725

Budget Details

Providing additional detail with regards to the above line items:

Facilitator

Though listed as an individual, the compensation will be provided directly to Immunefi, pending MIP41c4-SP25. All costs are only inclusive of all work done by the Facilitator. The quote provided assumes the maximum amount of hours, on a yearly basis, but has been evenly distributed per month.

Deputy Facilitator

The Deputy Facilitator will work a minimum of 24 hours per week, increasing the number of hours as necessary as well as having a planned increase to a full-time role as the Core Unit progresses. Like the Facilitator, all costs are only inclusive of all work done by the Deputy Facilitator. A more in-depth description of the Deputy Facilitator is found in the Core Unit Mandate MIP.

Immunefi - https://immunefi.com

In addition to the contributions of the Facilitator, Immunefi will also provide professional services including, but not limited to:

  • Initial triaging of bug reports
  • Content creation
  • Postmortems
  • General ecosystem security content
  • Core unit focused security content
  • Security advisory services
  • Office hours support
  • On-call security advisory
  • Incidence response facilitation support

The provision of Operational Security Services will be covered under a separate budget proposal.

ChainSecurity - https://chainsecurity.com

The company, which provides software audits for the MakerDAO smart contracts, will provide final triaging services for smart contract bug reports as well as provide technical assistance during incident response. However, it is not expected that this would be used maximally each month. Instead, the amount being requested is the expected maximum number of hours that could be used in the event of multiple critical bug reports and/or an incidence response occasion, also accounting for the additional charge of emergency hours response.

The current agreement between ChainSecurity and the Maker ecosystem will continue to be utilized. The only difference is that the funds would be from the Immunefi Security CU if hours are used for operations of the CU.

If no hours are used by ChainSecurity, or if there are leftover hours, that is carried into the succeeding month.

DeFi Safety - https://defisafety.com

The company, which provides security scoring for DeFi projects, as well as provides recommendations to projects to increase their security levels, will provide assistance with the identification of critical infrastructure and people and incident response preparedness. The quarterly quote provided is a fee for a set amount of hours for general work to be provided by DeFi Safety. It is two (2) sets of 50-hour blocks. The hours however, may extend beyond the quarter they are purchased if not consumed. However, it is expected that every quarter, this set amount of hours will be utilized and a new block of hours will need to be purchased.

The company’s contribution to the Operational Security Services will be covered under a separate budget proposal.

Software and Infrastructure Expenses

About $7,500 of these expenses will include, but will not be strictly limited to, the setup and maintenance of:

  • Secure communications channels for sensitive discussions
  • General communications tools for office hours, general updates, etc.
  • Backups and/or primary hosting for identified critical infrastructure
  • Internal organizational tools
  • Team hardware (e.g secure laptop)

Some software may be charged to the Core Unit on a monthly basis, but this one-time budget request has accounted for potential monthly expenses. As the identification of critical infrastructure and other operations have not yet commenced, we are currently unable to accurately go over what this will cover. All spending, however, will be documented and reported accordingly within reason.

The remaining expense of $54,000 is allocated for the software and infrastructure provided by ChaosLabs to provide a better testing experience for the bug bounty hunters spending time on the planned MakerDAO bug bounty program. This is, however, a consumable amount based on the number of hackers that would be permitted to use the software and infrastructure, as well as the extent that they use it. The Immunefi Security CU will use its discretion to approve or reject bug bounty hunters from accessing the software, with the proper process to be further outlined in the future Bug Bounty Program Subproposal. However, participating in the bug bounty program will not necessitate the use of the software and infrastructure.

Company Setup

Fees include all legal and administrative expenses for the creation and maintenance of the Immunefi Security Core Unit entity as a limited liability company for one year.

Monthly Budget Statement

Within the first 5 days of each month, IS will submit a Monthly Budget Statement to the signers of the Auditors Wallet with the following sections:

  • Budget Forecast – The amount of Dai that is required to maintain a 3-month runway for the team based on available information
  • Previous Month Actuals – The actual expenses (DAI and MKR) of the month that just ended
  • MKR Vesting Overview – A schedule of the expected MKR vesting amounts for the current team configuration, grouped by the pay-out month.
  • Transaction Amounts
    • The required DAI amount for the Operational Wallet to replenish the 3-month runway
    • Any DAI amount exceeding the 3-month runway that will be returned to the Auditors Wallet. The Monthly Budget Statements will be added to the MakerDAO forum. The originals can be found here.

Monthly Payment Flow

Once the Monthly Budget Statement has been delivered, the following payment flow will be executed:

  • Budget Statement Review
    • SES Accounting will review the monthly budget and check that its expenses reflect the allocated budgets in the budget MIP.
    • SES Accounting may ask the IS team to clarify or correct the budget statement.
    • In case of disagreements, the payments will be paused, and SES Accounting will escalate to the Maker Community.
  • Top-up transaction
    • The auditors will pull the available amount from the DssVest contract.
    • Once the Auditor Wallet signers are satisfied with the monthly budget statement, a top-up transaction from the Auditor Wallet to the IS Operational Wallet will be made.
    • The top-up amount will replenish the 3-month runway based on the forecast in the monthly budget statement.
  • Return excess funds to protocol
  • After the top-up transaction has been completed, the Auditor Wallet signers will return any funds to the protocol that exceed 2x the monthly budget cap.

Related Documents

3 Likes

Can you please provide the Community as to why a Deputy Facilitator cost more than a “Facilitator” and do any of the two also represent a personal interest in ChainSecurity via employment, or equity.

Also, can you please provide a little more colour as to why ChainSecurity will be the recipient of a salary–is that for the services that ChainSecurity as a separate entity provide? And what do you mean by “The Company, which provides software audits for the MakerDAO smart Contracts” are you doing ALL future smart contract audits for all the future components of MakerDAO? And how often do you expect ChainSecurity to play a role ( I think MakerDAO averages around 1 to maybe 2 bugs per quarter). Although a possible compromise can cost a lot more than $30K :sweat_smile:

2 Likes

@TravinImmunefi is a co-founder of Immunefi and will remain in his current leadership position. He envisions spending less than 20% of his time on the Maker Core Unit. In contrast, I work only for the proposed Core Unit and will be responsible for many of the Facilitator functions, approaching full-time.

2 Likes

Understood. And you are the Deputy Facilitator, or Facilitator?

I am slated to be the Deputy Facilitator. I think it makes sense for @TravinImmunefi to be the Facilitator, at least for now, because he is the most responsible party and has the broadest view on where the Core Unit should navigate.

1 Like

First, I apologize for my late reply. I had to deal with a health issue towards the end of last week.

ChainSecurity isn’t getting a salary. This is just a consumable amount depending on the amount of hours that they’ll be needed for that month. If they won’t be using any of the hours, then no funds will be sent to them. And yes, they will be contracted.

With the sentence that you bolded, I meant that ChainSecurity has been doing audits for MakerDAO in the past. The Immunefi Security CU itself will not be doing audits, though audits and penetration testing may be recommended to other CUs in the course of our operations.

With regards to our expectations of ChainSecurity playing a role, we are working on a very rough estimate right now, as the bugs themselves are also quite varied. Some bugs are extremely obvious and don’t even require a Proof of Concept. So ChainSecurity would likely not need to spend much time with it. Additionally, they will be called in to provide assistance with regards to any incidence response that will be needed, and this largely affected that calculation, as definitely more hours will be needed if there’s an active attack.

Can you please provide the Community as to why a Deputy Facilitator cost more than a “Facilitator” and do any of the two also represent a personal interest in ChainSecurity via employment, or equity.

Neither of us are employed or hold equity at ChainSecurity.

1 Like

Thanks for submitting this @travinimmunefi and @psychonaut , couple of questions from me,

Firstly, for transparency, PECU currently maintain a retainer with ChainSecurity for contract and security audits. We also manage the preparation of repositories and documentation for auditor interaction (as it relates to PECU). In prior discussion with SES, we determined the ChainSecurity retainer to be for all technical Maker initiatives and that priority would be given to urgent issues so we would not be fighting over a limit auditing resource.

Am I therefore correct to assume that the ChainSecurity $10k would help fund the rolling retainer and the overall triaging of issues from other teams (not just PECU)? If it doesn’t contribute to the retainer already in place, I’m not sure exactly how it fits in, but let me know if I’m missing something.

1 Like

In terms of tangible deliverables what does this aspect cover? It makes it less transparent to see the full of expense of the CU MIP39c2-SP24.

Final point, there was prior talk of a TechOps Core Unit taking ownership of what you have listed under software and Infrastructure Expenses (Secure comms, hosting/backup tools, comms and organization tools).

I get it that this core unit is focussing on comm channels in the event of a critical failure, but has there been thought towards leveraging hardware/tech from the exMaker TechOps team. Not sure if this is what you had in mind already?

2 Likes

Hey Derek. Thanks for your thoughtful questions!

Firstly, for transparency, PECU currently maintain a retainer with ChainSecurity for contract and security audits. We also manage the preparation of repositories and documentation for auditor interaction (as it relates to PECU). In prior discussion with SES, we determined the ChainSecurity retainer to be for all technical Maker initiatives and that priority would be given to urgent issues so we would not be fighting over a limit auditing resource.

Am I therefore correct to assume that the ChainSecurity $10k would help fund the rolling retainer and the overall triaging of issues from other teams (not just PECU)? If it doesn’t contribute to the retainer already in place, I’m not sure exactly how it fits in, but let me know if I’m missing something.

I was recommended that it would be best for us to have our own agreement with ChainSecurity with regards to this, though the triaging they would provide would just be with regards to, at the moment, bug reports for things created by PECU, as they would not be involved with other triaging. I plan to engage with them about this further this week as I initially wanted the RFC to be up a bit more before some comments - so, perfect timing!

What I had in mind was basically that if the Immunefi Security CU uses up ChainSecurity’s time, it would be on our side to provide the payment, not PECU. This therefore doesn’t change the overall allocation, just who pays. So yes, in a way it’s us just contributing to the retainer already in place, but only if we actually use the hours. Otherwise, all else is held constant. Unlike PECU, we don’t really have a predictable stream of hours where we will need their assistance, so I thought it best to structure this way.

In terms of tangible deliverables what does this aspect cover? It makes it less transparent to see the full of expense of the CU MIP39c2-SP24.

Most of this work will need to be done by a specialist through Immunefi Services and not members of the CU, so there’s no aspect of the budget here allocated for that. The pricing of this service has unfortunately been quite a roadblock to the start of this CU and was one of the main things that delayed this posting to this cycle, so we decided to have it posted separately, while still keeping an overview of this plan in the overall CU proposal of tasks to be done. Essentially, Immunefi is still structuring the service. With deliverables, the handbook is the primary one which can be referenced by the respective CUs to incorporate into their emergency response operations as well as day-to-day safety procedures. Full details are under the " Core Unit Operational Audits - Full Spectrum Security Service" section. I realize this isn’t clear now and will note this for the next round of modifications - thank you!

Final point, there was prior talk of a TechOps Core Unit taking ownership of what you have listed under software and Infrastructure Expenses (Secure comms, hosting/backup tools, comms and organization tools).

I get it that this core unit is focussing on comm channels in the event of a critical failure, but has there been thought towards leveraging hardware/tech from the exMaker TechOps team. Not sure if this is what you had in mind already?

Yep! We plan to use existing things that the TechOps core unit has set up already, but will set other things up if deemed necessary as well as will create backups where necessary. We will likely need to set up our own secure comms channels though, but we will leverage free and open source tools wherever possible (e.g Keybase).

1 Like

I’ve now updated the main post.

Changelog:

  • Added software and infrastructure expense estimation and breakdown
  • Added ChaosLabs software and infrastructure service
  • Clarification on ChainSecurity payments

Upcoming change: Standardization compliance

I’ve now updated the post.

Changelog:

  • Fixed Monthly Budget Statement to be clearer and comply with requirements
  • Added Monthly Payment Flow
  • Added Wallets
  • Added Transaction Amounts
  • Added final amount requested

Made some additional changes

  • Separated yearly expenses
  • Separated one-time expenses and added breakdown
  • Clarified DeFi Safety description and fees
  • Fixed the totals and funds requested
  • Fixed date of last streaming payment
1 Like

@blimpa Formally submitting MIP40c3-SP42 for Nov gov cycle

1 Like

One point of clarification:

I have mentioned about a subproposal for the budget for the Operational Audit. However, correction has been given to me that for an additional budget request without a MIP subproposal, this will be a replacement budget proposal. So if it moves forward without a MIP subproposal, unlike the Bug Bounty Program, this will be a replacement budget proposal and not a subproposal.

As part of our broader effort to bring more transparency to the CU budget structure, we have documented the wallet setup of this CU and others;

Read more about it here: Introducing the CU Budget Transparency Map

The auditors wallet addresses are now available… If a MIP editor could fill out the addresses in the OP, would be appreciated:


  • Signers
    • SES Accounting (1:2, 0xA2A855Ac8D2a92e8A5a437690875261535c8320C)
    • SES Auditing (1:2, 0xB2da57e224949acDDe173a5b8A8160c023ea86e6)
    • Maker Protocol (MCD_PAUSE_PROXY, 0xBE8E3e3618f7474F8cB1d074A26afFef007E98FB)

(Please correct the 1:2 here too.)

2 Likes