This bounty aims to allocate up to 100,000 DOT for covering bug bounty rewards for Open Runtime Module Library (ORML). ORML is a community-maintained collection of Substrate runtime modules, widely used across the Polkadot/Kusama parachains.
The Open Runtime Module Library is a community-maintained library widely used by parachains across Kusama and Polkadot ecosystems. It’s a set of runtime pallets for commonly used functions that parachains may need. It allows constructing parachains with less time for development and focusing more on unique features. This helps the Kusama/Polkadot ecosystem grow faster.
Vulnerabilities in ORML are a common problem of Kusama/Polkadot community and will affect the whole ecosystem. Acala Foundation is running a bug bounty program that includes the ORML library. We propose to allocate up to 100,000 DOT to cover ORML part of Acala Bug Bounty.
ORML is a commonly used library across the Kusama/Polkadot ecosystems, vulnerabilities and security issues of this module will likely affect the whole network.
The main curator is suggested to be a multisig wallet controlled by Acala, Parity and potentially other users of ORML. Those who control the multisig wallet will be able to assess the validity and severity of found vulnerabilities, as well as to check their fixing.
Bryan Chen @ Acala
Bryan is the co-founder & CTO of Acala as well as the initiator and core contributor of ORML. He is also one of the top community contributors to Substrate and Polkadot.
Shaun Wang @ Acala
Shaun is one of the core developers at Acala, and core contributor of ORML. He is also an active contributor to Polkadot, Substrate and Cumulus.
Shawn Tabrizi @ Parity
Shawn is one of the Lead Developers at Parity Technologies working on Substrate, Polkadot, Kusama. He specializes in FRAME, Runtime development, and benchmarking.
Wei Tang @ Parity
Wei is one of the core developers at Parity Technologies. He maintains Frontier, the Ethereum-compatibility layer for Substrate.
Shumo Chu @ Manta
Shumo is a co-founder of manta.network, the privacy layer for Web3 using zkSNARK. He was serving as research scientist at Algorand and assistant professor at UCSB before Manta.
Acala team uses Immunefi as a service for managing bug bounty programs.
Immunefi charges an additional 10% for each reward paid to whitehat. The service gives the next advantages:
It is not possible to precisely estimate costs, as we don't know how many bugs with what severity can be found. Acala is working hard on finding vulnerabilities ourselves and doing frequent security audits. We propose to allocate rewards that will cover ~1.5 of the most severe bugs; and, if necessary, we can propose another allocation.
Bug bounty rewards for ORML are paid in DOT. Each vulnerability needs separate payment, for which can be created child bounties with reward amount and 10% of Immunefi fee. The child bounty is curated by Immunefi team wallet, with the support and supervision of the on-chain curator, and they manage to pay out to the whitehat and take their commission.
The following consists of the next steps:
Vulnerabilities and security issues of ORML found by whitehat from bug bounty programs are carefully fixed on time.