[Security] Increasing Gelato’s Security Budget, Bounties and Refunds

Summary:

Last December there was a critical vulnerability discovered in one of the smart contracts used on Sorbet Finance. Even though the Gelato team successfully rescued over $27M in users funds before anything was exploited, this vulnerability still led to around ~$780k in funds being lost by customers before the release of our post mortem and refund cut-off point.

Gelato should strive to hold itself accountable to the highest security standards in web3. Therefore to prevent such an event from reoccuring, I propose to create a security budget which will be used to a) refund those users who lost their funds in the Sorbet Finance vulnerability before the cut-off point, b) pay generous bug bounties to those individuals who helped us secure the $27M and c) allocate a higher security budget for future releases. This future security budget will be used for 2022 to sponsor auditors, conduct bug bounties, incentivize peer reviews and cover other security related expenses so that situations like these can be prevented in the future.

Requested Budget Breakdown (taking $2.30 per GEL - the closing price of 4th of January 2022):

  • Refunds: $780.000,00 (337,662.00 GEL)
  • Bounties: $210.000,00 (91,305.00 GEL)
  • Future Security Budget: $2.000.000,00 (869,566.00 GEL)

Total: 1,298,533.00 GEL (0.62% of current Gelato DAO treasury)

9 Likes

respective Gelato DAO vote:

https://snapshot.org/#/gelato.eth/proposal/0x463428baf86a600fdc8bec86bd319c2f123dfb84ad0a777169342255ce0a86eb

4 Likes

Voted yes, and I highly suggest all of our community members support it as well.

Kudos to the team and friends for discovering and fixing the vulnerability in such a coordinated and swift manner. The incident is nothing but another reminder just how critical security issues can be and that our current effort should be even more leveled up.

4 Likes

Thanks! @btt appreciate the support