- Referenda/
- Big Spender/
- #1640/
Bounty Top Up: Polkadot Assurance Legion
Date: June 30, 2025
Proposer: Polkadot Assurance Legion (PAL) Curators
Requested Amount: 500,000 DOT
Beneficiary: Polkadot Assurance Legion (PAL) Bounty #22
Short Description: This proposal is the first bounty top-up for the Polkadot Assurance Legion (bounty #22), requesting 500,000 DOT. These funds will enable PAL to continue its crucial work in enhancing the security of the Polkadot ecosystem. The current mandate of PAL includes the partial audit funding for Runtimes and smart contracts (both Rust and Solidity), the development of security tooling, common-good security initiatives, and partial reimbursements for bug bounty payouts.
1. Introduction & Background
The Polkadot Assurance Legion (PAL) is a community-driven initiative dedicated to making Polkadot a safer and more attractive platform for builders and users. By allocating funds from the Polkadot Treasury, PAL supports a range of security-focused activities critical for Polkadot's health and growth. With PAL, Polkadot is the only ecosystem that allocates a portion of its on-chain treasury to enhance the security of the ecosystem, thereby investing in its long-term security, stability, and success.
Since the start of 2024, PAL has co-funded 25 audits, which have helped identify and resolve 133 on-chain vulnerabilities, of which 27 were classified as critical or high-risk. Furthermore, PAL has funded the development of a static-analysis tool and is just about to fund the development of a comprehensive ecosystem monitoring tool.
You can find the funding details in our community reports: Q1 2025, H2 2024, and H1 2024.
Previous PAL OpenGov referenda: #47, #1074.
More info on https://dotpal.io
2. Current funding status
At the time of writing, the balance of the PAL Bounty #22 stands at approximately 177,800 DOT. Here is a breakdown of the spending so far (not including 2025 Q1 as the numbers are not final):
- 2025 Q2 (final report pending): Total 50,990 DOT (Audits: 32,793 DOT; Tooling: 4,424 DOT; Curator Salaries: 13,773 DOT);
- 2025 Q1: Total 49,454 DOT (Audits: 19,663 DOT; Tooling: 16,517 DOT; Bug Bounties: 3,304 DOT; Curator Salaries: 9,970 DOT);
- 2024 H2: Total 112,491 DOT (Audits: 84,262 DOT; Tooling: 10,695 DOT; Curator Salaries: 17,534 DOT);
- 2024 H1: Total 158,393 DOT (Audits: 154,413 DOT; Curator Fees and Travel: 3980 DOT).
Here is a breakdown of the share of each spending category:
- Audits: 78%
- Curator Salaries: 12,2%
- Tooling: 8.5%
- Bug Bounties: 0,9%
3. Top-Up Justification
Considering the past spending behaviour outlined above, and the anticipated future demand for security services, we would like to request a top-up of the PAL bounty with 500,000 DOT.
The funds currently remaining in the bounty provide sufficient albeit limited leeway for the upcoming months. In the next weeks, we will initiate payouts for the development of the ecosystem monitoring tool, which will have a total cost in the range of $200,000 to $250,000 (delivered via milestones of up to $50,000). Besides several ecosystem projects expressing interest in audit co-funding, we expect an uplift in demand due to the launch of EVM smart contracts on Polkadot Hub, which (hopefully) will be audited by their deployers. Furthermore, we would like to continue funding open-source security tools that benefit the Polkadot ecosystem.
According to our knowledge, the requested top-up should allow PAL to continue its operations uninterrupted for at least another 12-18 months (depending on factors such as DOT valuation).
4. Why Fund Security
A well-funded PAL directly contributes to:
- Enhanced Security: Funding Audits reduce the risk of exploits and potential loss of funds across the ecosystem.
- Increased Developer Confidence: Providing resources for tooling that helps developers build more secure applications.
- Greater User Trust: Demonstrating that Polkadot is committed to security, making it a more attractive platform for users.
- Ecosystem Growth: A secure environment fosters innovation and encourages broader adoption.
- Proactive Risk Mitigation: Supporting the development of tools and initiatives that can prevent future vulnerabilities.
PAL has a proven track record of effective fund management and impactful security contributions. The requested top-up will ensure that this vital work can continue and adapt to the Polkadot network's evolving needs.
We welcome any questions and are committed to continuing to report on the use of these funds in a transparent manner.
- Polkadot Assurance Legion (PAL) wants 500,000 DOT to keep Polkadot safe.
- PAL helps pay for security checks (audits) and tools to find bugs.
- So far, PAL has found 133 problems, with 27 being very serious.
- Most money (78%) goes to audits, 12% to PAL workers, and 8.5% to tools.
- The new funds will last 12-18 months for more security work.
- More security means safer apps and happier users.
- PAL shares updates so everyone knows how the money is used.
- 0.0%
- 0.0%
Threshold
- 0.0%
✅ Why vote YES
• Essential security initiative: PAL is the only ecosystem-wide, community-led security program with a dedicated on-chain bounty for audits, tooling, and proactive risk management.
• Strong track record:
• 25 audits funded since 2024
• 133 vulnerabilities uncovered, including 27 high/critical
• Funding already resulted in security tooling, including static analysis and monitoring
• Ecosystem-wide impact: Audits and tools are used across parachains, dApps, and the Polkadot Hub, with increasing demand expected from EVM smart contracts deployment
• Transparent budgeting and reporting: Quarterly and semi-annual community reports are published (Q1 2025, H2 2024, etc.)
• Long-term sustainability: 500,000 DOT would cover 12–18 months of operations (audits, bounties, tools, curator fees), ensuring uninterrupted activity
• Improves trust and adoption: Better security = safer experience for users, more confidence for builders, and more credibility for institutional partners
• Low administrative overhead: Only ~12% of costs go to curators (rest focused on delivery)
⸻
❌ Why vote NO
• High cost: 500,000 DOT (~$1.65M at $3.30/DOT) is a large ask, even if over 12–18 months
• Bug bounty spending remains small: Less than 1% of previous budget went to actual bounty payouts—might raise concerns over practical ROI
• Potential lack of decentralization: Decision-making and spending controlled by a relatively small group of curators
• No external audit of PAL itself: While PAL funds audits, there’s no independent review of how PAL manages treasury money
• Audit dependency risk: Projects may come to rely too heavily on PAL instead of budgeting for their own audits
⸻
🎯 Conclusion:
The PAL proposal seeks to extend a critical, proven security framework for the Polkadot ecosystem. It offers ecosystem-wide protection, improved tooling, and proactive security for builders and users alike—yet its large cost and governance structure may prompt scrutiny.