Please login or register.

Monero Bounty Bonds

Hi guys,

I was reading Shen's recent blogpost about the flaw in ShadowCash. At the bottom of the article some bounties for pointing out errors were mentioned.

Wouldn't it be cool/important/useful if Monero also offered some bounties so external people are incentivized to check the Monero ptrocol? It would give positive exposure to Monero and it would strengthen the protocol. In stead of attacking the network, people would be wise to just tell the core team about the exploit they just found.

So, then I was thinking about how to set it up... The obvious route is to just use the forum funding system to crowdfund these bounties.

But this seems like an strange idea if you think about it: who will lock up their money indefinitely so the bounty money is always available?

So then I thought about just asking people to put in some money for a specified period, for example one year. But this also seems a bit strange. Why would you do that? Yeah, you are supporting XMR by doing this, but locking away a few BTC with the risk of loosing them because the money will be used to pay out bounties isn't very appealing. I don't expect a lot of people to do that.

There was something missing: an incentive to lock your money!

That's why I propose the idea to create "Monero Bounty Bonds":

  1. First we determine how much money we want for our bounties and which bounties we want to provide
  2. Then we auction the bonds. We let people bid on the amount of XMR they want to receive per mBTC they lock for a year
  3. We use the forum funding system to crowdfund the interest after a year.

This system would mean that bonds would gain value over time if the protocol is strong (I'm assuming stable BTC/XMR rate here): imagine you get 10% in a year. After 6 months of zero bounty payouts, the risk to for a payout to happen became smaller => making profit on your bond is more likely an your bond should be worth about 5% above par.

benefits:

  • we can crowdfund a larger amount of BTC for paying out bounties because the investors are incentivized
  • people who have a good understanding of the protocol can "put their money where their mouth is"
  • if you are a bounty hunter, you can even buy a bond yourself. When you found an exploit, you can try to sell your bond on the market and then reveal the exploit and profit twice.

on a sidenote: it would be interesting to see the interest rate go down overtime. This would mean that the trust in the Monero protocol is going up.

Thoughts?

Replies: 5
Gingeropolous posted 6 years ago Replies: 2 | Weight: 0 | Link [ - ]

I'm trying to parse:

First we determine how much money we want for our bounties and which bounties we want to provide
Then we auction the bonds. We let people bid on the amount of XMR they want to receive per mBTC they lock for a year
We use the forum funding system to crowdfund the interest after a year.

A perhaps simpler solution would be to just have the bonds / bounties expire annually and require re-activation. So this way, the funds aren't locked up forever and there is an annual adjustment based on the current fiat value.

So, imagine a 10,000 USD fund for exploit X. 10 individuals "put their money where their mouth is" regarding their faith in the Monero code and the core team and put in 2k XMR each (using current fiat value of 50 cents).

A year goes by and the bounty is unclaimed. The 10 individuals who supported this have their XMR returned to them. They then have the choice to cycle another year at 10k. Presumably, monero is now at 1$, so they put up 1k XMR each.

While there's no blatant incentive to put your money up, it does do one thing: prevent you from selling your monero.

Reply to: Gingeropolous
dnaleor edited 6 years ago Weight: 0 | Link [ - ]

Bounties need to be hold in BTC or fiat: if there is an exploit that can't be fixed, XMR will go down and you can't pay for the bounty.

The idea behind the system I proposed is that we can leverage crowdfunded money to have bigger bounties.

For example: when the auctioned interest rate is 10%, we can have a 10 BTC bounty with only 1 BTC in crowdfunding.

edit: @ginger, what you propose is the same as someone bidding 0% in the auction. Nobody will stop that guy from doing it. If there are filantropic people that want to do that, that's great :)

Reply to: Gingeropolous
dnaleor edited 6 years ago Weight: 0 | Link [ - ]

Sidenote: Maybe locking up 0.001 BTC is a bit low. We could for example let people bid with 0.1 BTC as a minimum.

Example bid: 0.2 BTC @ 50 XMR/BTC

=> bidder will receive 50*02 = 10 XMR after a year + the remaining part of the locked BTC.

dnaleor edited 6 years ago Weight: 0 | Link [ - ]

@ginger The main reason why I propose these bonds if because I want to think big:

We are probably not able to get 100 BTC locked for the bounties. That's a lot of money. If we incentiovize people, the chances of getting a big BTC amount are higher.

We could even start an open auction, without limit for the amount that eventually will become a bond.

[Step 1] We decide which kind of bounties and we give "weights" to them.

An example:

  • fatal flaw (steal coins, create "invisible" new coins, ...): 50% of bounty fund
  • Breaking anonymity: 25% of bounty fund
  • Breaking consensus: 25% of bounty fund
  • flaw that crashes nodes: 10% of bounty fund
  • flaw that crashes wallet: 5% of bounty fund

[Step 2] We let people bid in an open auction. We also set a date for the closing.

An example:

  • 10.0 BTC @ 34 XMR/BTC => 340 XMR
  • 5.0 BTC @ 22 XMR/BTC => 110 XMR
  • 2.0 BTC @ 11 XMR/BTC => 22 XMR
  • 1.5 BTC @ 6 XMR/BTC => 9 XMR
  • 0.5 BTC @ 4 XMR/BTC => 2 XMR
  • 4.0 BTC @ 0 XMR/BTC => 0 XMR

[Step 3] When the auction is closed, we start an open crowdfunding. We also set a date for this.

For example After the crowdfunding closes, we notice that the total is 55 XMR.

[Step 4] Now we allocate the bonds

In our examplethe lowest 55 XMR will become a bond

  • 4.0 BTC @ 0 XMR/BTC => 0 XMR ----------total 0 XMR
  • 0.5 BTC @ 4 XMR/BTC => 2 XMR ----------total 2 XMR
  • 1.5 BTC @ 6 XMR/BTC => 9 XMR ----------total 11 XMR
  • 2.0 BTC @ 11 XMR/BTC => 22 XMR ----------total 33 XMR
  • 5.0 BTC @ 22 XMR/BTC => 110 XMR----------22 XMR/110 XMR becomes a bond => 1 BTC => TOTAL 55 XMR

TOTAL BTC = 4+0.5+1.5+2+1 = **9 BTC for bounties, with only 55 XMR in crowdfunding **

[Step 5] Now we sit back and wait.

If for example a bug was foun that crashes the node, 5% of 9 BTC will be given out (0.45 BTC) We have 8.55 BTC left If after a while a fatal flaw was reported, that guy gets 50% => 8.55/2 = 4.275 BTC etc etc

The fund can't ever be emptied completely. If it however drops below (for example) 20% of the initial amount, the bond closes early and investors get their money back proportion ally after a new auction/crowdfunding round is finished. They also receive their intrest payment.

anonimal posted 6 years ago Weight: 0 | Link [ - ]

Interesting idea. A simpler bug bounty approach is currently in the works https://github.com/monero-project/meta/issues/39.