Bounty Top Up: Polkadot Assurance Legion

15BE...ZLto

Big Spender

3d ago

Deciding

Content

AI Summary

Date: June 30, 2025

Proposer: Polkadot Assurance Legion (PAL) Curators

Requested Amount: 500,000 DOT

Beneficiary: Polkadot Assurance Legion (PAL) Bounty #22

Short Description: This proposal is the first bounty top-up for the Polkadot Assurance Legion (bounty #22), requesting 500,000 DOT. These funds will enable PAL to continue its crucial work in enhancing the security of the Polkadot ecosystem. The current mandate of PAL includes the partial audit funding for Runtimes and smart contracts (both Rust and Solidity), the development of security tooling, common-good security initiatives, and partial reimbursements for bug bounty payouts.

1. Introduction & Background

The Polkadot Assurance Legion (PAL) is a community-driven initiative dedicated to making Polkadot a safer and more attractive platform for builders and users. By allocating funds from the Polkadot Treasury, PAL supports a range of security-focused activities critical for Polkadot's health and growth. With PAL, Polkadot is the only ecosystem that allocates a portion of its on-chain treasury to enhance the security of the ecosystem, thereby investing in its long-term security, stability, and success.

Since the start of 2024, PAL has co-funded 25 audits, which have helped identify and resolve 133 on-chain vulnerabilities, of which 27 were classified as critical or high-risk. Furthermore, PAL has funded the development of a static-analysis tool and is just about to fund the development of a comprehensive ecosystem monitoring tool.

You can find the funding details in our community reports: Q1 2025, H2 2024, and H1 2024.

Previous PAL OpenGov referenda: #47, #1074.

More info on https://dotpal.io

2. Current funding status

At the time of writing, the balance of the PAL Bounty #22 stands at approximately 177,800 DOT. Here is a breakdown of the spending so far (not including 2025 Q1 as the numbers are not final):

2025 Q2 (final report pending): Total 50,990 DOT (Audits: 32,793 DOT; Tooling: 4,424 DOT; Curator Salaries: 13,773 DOT);
2025 Q1: Total 49,454 DOT (Audits: 19,663 DOT; Tooling: 16,517 DOT; Bug Bounties: 3,304 DOT; Curator Salaries: 9,970 DOT);
2024 H2: Total 112,491 DOT (Audits: 84,262 DOT; Tooling: 10,695 DOT; Curator Salaries: 17,534 DOT);
2024 H1: Total 158,393 DOT (Audits: 154,413 DOT; Curator Fees and Travel: 3980 DOT).

Here is a breakdown of the share of each spending category:

Audits: 78%
Curator Salaries: 12,2%
Tooling: 8.5%
Bug Bounties: 0,9%

3. Top-Up Justification

Considering the past spending behaviour outlined above, and the anticipated future demand for security services, we would like to request a top-up of the PAL bounty with 500,000 DOT.

The funds currently remaining in the bounty provide sufficient albeit limited leeway for the upcoming months. In the next weeks, we will initiate payouts for the development of the ecosystem monitoring tool, which will have a total cost in the range of $200,000 to $250,000 (delivered via milestones of up to $50,000). Besides several ecosystem projects expressing interest in audit co-funding, we expect an uplift in demand due to the launch of EVM smart contracts on Polkadot Hub, which (hopefully) will be audited by their deployers. Furthermore, we would like to continue funding open-source security tools that benefit the Polkadot ecosystem.

According to our knowledge, the requested top-up should allow PAL to continue its operations uninterrupted for at least another 12-18 months (depending on factors such as DOT valuation).

4. Why Fund Security

A well-funded PAL directly contributes to:

Enhanced Security: Funding Audits reduce the risk of exploits and potential loss of funds across the ecosystem.
Increased Developer Confidence: Providing resources for tooling that helps developers build more secure applications.
Greater User Trust: Demonstrating that Polkadot is committed to security, making it a more attractive platform for users.
Ecosystem Growth: A secure environment fosters innovation and encourages broader adoption.
Proactive Risk Mitigation: Supporting the development of tools and initiatives that can prevent future vulnerabilities.

PAL has a proven track record of effective fund management and impactful security contributions. The requested top-up will ensure that this vital work can continue and adapt to the Polkadot network's evolving needs.

We welcome any questions and are committed to continuing to report on the use of these funds in a transparent manner.

Request

500KDOT

Status

Decision28d

Confirmation

Attempts

Tally

73.1%Aye

26.9%Nay

Aye

≈33.77MDOT

Nay

≈12.45MDOT

0.0%
0.0%
Threshold
0.0%

Support

0.48%

≈7.62MDOT

Issuance

≈1.59BDOT

Votes

Nested

Flattened

Actions

Or do delegation here, check wiki.

Call

Metadata

Timeline3

Votes Bubble

Statistics

Comments

1y2q...bmxR

✅ Why vote YES
• Essential security initiative: PAL is the only ecosystem-wide, community-led security program with a dedicated on-chain bounty for audits, tooling, and proactive risk management.
• Strong track record:
• 25 audits funded since 2024
• 133 vulnerabilities uncovered, including 27 high/critical
• Funding already resulted in security tooling, including static analysis and monitoring
• Ecosystem-wide impact: Audits and tools are used across parachains, dApps, and the Polkadot Hub, with increasing demand expected from EVM smart contracts deployment
• Transparent budgeting and reporting: Quarterly and semi-annual community reports are published (Q1 2025, H2 2024, etc.)
• Long-term sustainability: 500,000 DOT would cover 12–18 months of operations (audits, bounties, tools, curator fees), ensuring uninterrupted activity
• Improves trust and adoption: Better security = safer experience for users, more confidence for builders, and more credibility for institutional partners
• Low administrative overhead: Only ~12% of costs go to curators (rest focused on delivery)

⸻

❌ Why vote NO
• High cost: 500,000 DOT (~$1.65M at $3.30/DOT) is a large ask, even if over 12–18 months
• Bug bounty spending remains small: Less than 1% of previous budget went to actual bounty payouts—might raise concerns over practical ROI
• Potential lack of decentralization: Decision-making and spending controlled by a relatively small group of curators
• No external audit of PAL itself: While PAL funds audits, there’s no independent review of how PAL manages treasury money
• Audit dependency risk: Projects may come to rely too heavily on PAL instead of budgeting for their own audits

⸻

🎯 Conclusion:
The PAL proposal seeks to extend a critical, proven security framework for the Polkadot ecosystem. It offers ecosystem-wide protection, improved tooling, and proactive security for builders and users alike—yet its large cost and governance structure may prompt scrutiny.

12mP...Eyoh

PolkaWorld votes AYE

Two-thirds in support, one-third opposed.

Supporters believe that having the Treasury allocate part of its funds to support security audits within the ecosystem is a strategically important move for improving security. With both Polkadot Hub and JAM launching, significant auditing work will be needed—this bounty could play a key role in addressing that need.

Opponents suggested that future funding be requested directly in USDC or USDT, which would improve transparency and tracking of fund usage.

You can view our full feedback here.

16ap...141C

Voted aye from TruthDAO

Edited

13dV...6afh

TruthDAO votes AYE

This is a long-running bounty with a solid reputation. The current request outlines a reasonable plan and demonstrates a strong potential to continue contributing to the ecosystem.

Bifrost has previously used this bounty through PAL for two audit requests, which shows the proposal is highly executable.

Security audits can be a significant expense for early-stage teams, so this proposal plays an important role in attracting new developers to the Polkadot ecosystem.

The budget is also clear and transparent.

You can view our full feedback here!

📖Truth DAO Governance Statement

💭 Contact: Email, Telegram

🗳️ Delegate

Edited

13zn...P5ju

Dear Proposer,

Thank you for your proposal. Our first vote on this proposal is NAY.

The Big Spender track requires 60% quorum according to our voting policy v0.2, and any referendum in which the majority of members vote abstain receives an abstain vote. This proposal has received zero aye and five nay votes from ten available members, with two members abstaining. Below is a summary of our members' comments:

Voters raised concerns about excessive payouts to curators, arguing that fixed monthly fees of $15K–20K were disproportionate given the limited number of projects requiring audits. They suggested that payments should be tied to actual work hours and that quarterly top-ups would be more practical than securing funding for 12–18 months in advance. Some called for more detailed cost breakdowns to ensure that a larger percentage of funds was dedicated to audits rather than curator salaries. While a few abstained out of support for the initiative overall, the prevailing opinion was that the budget was overly generous and inefficient.

The full discussion can be found in our internal voting.

Please feel free to contact us through the links below for further discussion.

Kind regards,
Permanence DAO
Decentralized Voices Cohort IV Delegate

📅 Book Office Hours
💬 Public Telegram
🌐️ Web
🐦 Twitter
🗳️ Delegate

1TtC...Wf2Q

Although security is a priority, the current PAL model has high administrative costs (12.2% allocated to salaries) and dedicates very little budget (0.9%) to direct incentives like bug bounties, which could be more effective in preventing vulnerabilities. Moreover, it’s not clear that the entire burden of audits should fall on the Treasury, as individual projects should also take responsibility for their own security. It’s time to reconsider whether this expenditure is the most efficient way to protect the ecosystem.