[SIP] Community bounty pool

Abstract

Since 2022 Superfluid Finance UK had set up Immunefi bounties for the Superfluid protocol, offering up to $200K for critical discoveries. Now that the SUP community governs the protocol, it should establish a new bounty program with a larger reward pool for better visibility.

The pooled capital, likely in USDC, should earn an on-chain yield on a money market such as Aave to compensate for the opportunity cost. The SUP campaign could also distribute more SUP to the bounty pool’s contributors.

This SIP is a Request for Proposals (RFP) from bounty platform providers. Respondents should submit proposals detailing their bounty structure, and fund management. The DAO will review and vote on the best proposal.

Type

Non-Constitutional (Community-Led Initiative)

Motivation & Rationale

1. Allow the DAO to select the best bounty platform provider through a transparent process
2. Ensure the bounty program attracts top security researchers
3. Optimize capital efficiency by allowing bounty funds to generate yield while awaiting claims

Key Terms

• Minimum participation lot: 10 USDC.
• Locked period: 24 months.
• Selected Bounty Program: Rewards for identifying and reporting protocol vulnerabilities.
• On-Chain Yield: Earnings from funds deposited in DeFi lending protocols.

Proposal Specifications

1. Scope

   1. Bounty Program: see the system view below.
   2. Yield Strategy for the bounty pool: Using Aave, see the system view below.
   3. Listing on Platforms

2. Cost Estimate:, per the system view below, these need to be contracted:

   1. Smart contract implementation: bounty pool manager
   2. Stack point system integration of the smart contract

   Estimated total cost: to be implemented by the foundation staff engineers, no extra cost to the community.

3. Experience: Relevant case studies and team background

4. Execution Timeline:

   1. By the end of May, Technical readiness, smart contract, and stack point integration.
   2. Including this campaign season 2 depends on the season 2 voting timeline.

Bounty Program System View

image1300×1005 144 KB

Steps to Implement

1. RFP Issuance (17 March)
2. Proposal submissions, feedback, fine tunes (2 weeks + 2 week extension: by 14 April)
3. DAO Vote listing shortlist of proposals submitted (2 weeks: by 28 April)
4. Execution Contract selected provider and initiate work (2 weeks: by 12 May)
5. Bounty program live (on-going)

Overall Cost

• Bounty Pool: USDC allocation TBD
• Yield Strategy Costs: Fees for DeFi protocol TBD
• Administrative Costs: TBD

Hello Superfluid community,

We’re thrilled to introduce Sherlock as a candidate to become Superfluid’s trusted security partner. At Sherlock, we specialize in providing top-tier security solutions for Web3 projects like Superfluid, and we’re proud to have already conducted an audit contest for Superfluid in the past. Building on that foundation, we’re excited to take the next step in strengthening our relationship by designing and hosting a bug bounty program for Superfluid.

Introduction to Sherlock

Sherlock is a leading security company dedicated to safeguarding Web3 through its revolutionary audit contests, where the world’s top security researchers compete to identify vulnerabilities in users’ code bases. Our unique approach combines the meticulous focus and collaboration of traditional audits with the extensive participation of security experts from our audit contests, creating a “best of both worlds” solution.

Our extensive experience and proven success are highlighted by:

• Over 250 audits completed with a 98% success rate of finding at least a Medium-severity vulnerability.
• Over $2.0mm awarded to Sherlock to manage multiple security grant programs by some of the largest protocols.
• One of the largest audit contests in history for MakerDAO with a value of $1.4mm.
• Multiple case studies highlighting the effectiveness and efficiency of our services:
  • Tokemak Case Study
  • Index Coop Case Study
  • Ajna Finance Case Study
  • Perennial Case Study

Sherlock’s consistent track record of exceeding expectations has fueled high demand for our audits, supported by the number of projects that return for a second audit after their initial success. This list includes:

Optimism, GMX, Ajna, LooksRare, Gitcoin, Index Coop, Rio Network, Opyn, Notional, OlympusDAO, Lyra, Perennial, Sentiment, Symmetrical, BOND Protocol, Merit Circle, DODO, JOJO, NounsDAO, Footium, Illuminate, Union Finance, Unstoppable/Alchemix, WAGMI, Blueberry, Telcoin, Cooler, Teller, Sense and many others.

What We Do

Sherlock offers a two clear services that align with Superfluid’s needs:

Bug Bounty

At Sherlock, our bug bounty service is designed to provide Superfluid with ongoing, proactive protection by leveraging a global network of over 10,000 security researchers, including our elite Blackthorn auditors.

Unlike other bug bounty programs, that require a huge time commitment from the team, Sherlock has designed this program with some unique features to make it simple, straightforward, and easy for the team to manage.

Here’s how it works, why it stands out, and how it’s uniquely positioned to elevate Superfluid’s long-term security.

How it Works

Our post-launch bug bounty program is a continuous security solution tailored to Superfluid’s needs, running alongside your development lifecycle. After our past audit of your protocol, we’re excited to take the next step by designing and hosting a bug bounty program with these key features:

• Expert Triaging: Unlike other platforms, where a critical bug submission might leave you waiting weeks to confirm its validity, Sherlock’s expertise allows us to triage issues immediately. With our prior audit of Superfluid, and our proprietary dataset on thousands of security researchers, we know your codebase and can tap the exact researchers who understand it best to validate submissions fast, delivering detailed feedback on validity and potential fixes.
• Spam Reduction: Every submission requires a $250 deposit from researchers, which filters out low-quality reports. That deposit funds our auditors to jump in, triage the issue, and provide actionable insights - ensuring you’re not bogged down by noise.
• Maximum Visibility: Unlike platforms hosting hundreds of programs, Sherlock offers Superfluid standout exposure. A $200k critical payout would land Superfluid on the first page of our hosted bounties, and with 10,000+ researchers already signed up, we’ll promote your program directly to them - getting massive eyes on your code from day one. Plus, we can amplify this with co-marketing and promotional activities.
• Simplicity and Ease of Use: Our proprietary dashboard makes managing the program effortless—Superfluid’s team can add or change the covered scope with just a few clicks. We’ve designed it this way to minimize the time commitment required, so your team can focus on building rather than maintaining the program.
• Flexible Scope and Rewards: We collaborate with Superfluid to define the in-scope contracts (e.g., core streaming logic, token integrations) and set payout tiers based on vulnerability severity - Critical, High, Medium, or Low. Rewards can range up to $100,000’s for critical bugs, ensuring serious issues get serious attention.
• Transparent Reporting: Every valid submission is documented and shared (with your approval), giving delegates and the community full visibility into resolved threats and reinforcing trust in the protocol.

Design

Sherlock will work closely with Superfluid to design a custom program tailored to Superfluid’s specific needs. Through a collaborative process, we’ll define the scope of the program, severity classifications (Critical, High, Medium, Low) and clear rules that align with Superfluid’s goals. Our proprietary dashboard makes this effortless: with just a few clicks, the team can adjust the scope or rules as needed, ensuring flexibility as your protocol evolves.

Timeline

Setting up a bug bounty program with Sherlock is fast and straightforward - it can be fully operational in a single day. We’re ready to adapt to your schedule and can begin whenever Superfluid is prepared to take this step. Whether you want to launch immediately or plan for a specific date, our team is flexible and equipped to get the program up and running quickly, providing instant access to our global network of security researchers and ensuring your protocol benefits from enhanced protection right away.

Audit Contest

Sherlock’s audit contests are distinguished by their quality and comprehensive nature. Our proprietary “best of both worlds” approach combines the focus, collaboration, and assurance of a traditional audit with the extensive participation of security experts from an audit contest. This method has proven significantly more effective in identifying vulnerabilities quickly and thoroughly compared to traditional audits.

Our unique leaderboard system, based on performance rather than participation, ensures only the most skilled auditors rise to the top. Using an ELO-style ranking system (commonly used in chess and other competitive sports), auditors must consistently outperform their peers to advance. This system incentivizes maximum effort and results in exceptional audit outcomes.

Each Sherlock contest includes at least one Lead Senior Watson (a professional security researcher in the Top 30 on the leaderboard) and multiple Watsons from the Top 150, selected based on their leaderboard position and relevant experience with similar protocols. This ensures that every contest has expert auditors reviewing the codebase, consulting with the protocol team, and conducting a complimentary half-day fix review. The Lead Senior Watson earns fixed pay and competes for the entire prize pool, further aligning incentives.

The talents of this one individual are enhanced by competing against an unlimited number of independent security experts / teams striving to win a greater portion of the prize pool. The Senior Watson only keeps their “senior” status as long as they outperform the other auditors in the field, pushing them to give maximum effort.

Benefits of Sherlock Audit Contests

• Each contest has an assigned Lead Senior Watson who is heavily incentivized (through fixed pay and an ELO-style ranking system 2) to find as many bugs as possible over the entire length of the audit.
• A significant contest prize pool attracts anywhere from 200-400 independent auditors who get paid based on the severity of their findings. Sherlock specifically rewards only High and Medium severity threats.
• The Lead Senior Watson comes back to help the protocol team with fixes (provides a half-day complimentary fix review).
• Sherlock’s decentralized judging process takes hundreds of raw, duplicate issues and turns them into a digestible report, saving the protocol team days of work and reducing the possibility of overlooked vulnerabilities.
• Sherlock charges the lowest fees in the industry. 80% of what you pay to Sherlock goes directly to security experts.
• Sherlock is the only auditor to offer exploit and/or bug bounty coverage after the audit is conducted (once the fix review is finished), ensuring that Sherlock’s incentives are aligned in shipping the most secure protocol possible.

How Superfluid Benefits

Partnering with Sherlock would bring tangible advantages to Superfluid:

• Enhanced Security : A thorough audit will harden your core smart contracts against exploits, while an ongoing bug bounty program ensures long-term resilience as new features roll out.
• Increased Trust : Publicly verifiable audit reports and a robust bounty program signal to users and developers that Superfluid prioritizes security, boosting adoption and confidence.
• Cost Efficiency : By catching vulnerabilities early through audits and incentivizing white-hats, we minimize the risk of costly hacks - protecting both funds and reputation.

Next Steps

We’d love to kick things off with a discussion to scope an initial audit of Superfluid’s smart contracts and design a bug bounty program that complements your existing efforts.

Thank you - we’re eager to hear your feedback and answer any questions.

Dear Superfluid DAO,

We are excited to present this proposal to integrate Immunefi’s security solutions into Superfluid’s ecosystem. Immunefi is the leading crowdsourced security platform in Web3, working with top-tier projects such as Arbitrum, LayerZero, MakerDAO, and Wormhole to protect over $150 billion in user funds. Through Audit Competitions, Bug Bounty Programs, and Managed Triage services, Superfluid can strengthen its security posture, proactively mitigate risks, and engage with the best security researchers in the industry.

Additionally, we’re thrilled to offer Superfluid DAO early access to Magnus, Immunefi’s all-in-one SecOps command center. Magnus integrates AI-powered threat detection, real-time monitoring, and automated security workflows, setting a new standard for on-chain security.

Link to Superfluid DAO Proposal and a sneak peak to Magnus

We’re excited for the community’s feedback and the opportunity to help secure Superfluid’s future.

Hello @hellwolf! We have two replies right now.

Is this step going to happen, or can we assume we will use this thread as is?

Hi @ jameskbh!

We will use this thread. So far 2 proposals received (in thread above) in response to the RFP

Hello, thanks for your comment.

I see that it is missing some items to be an effective proposal, like the ones below:

Which other information do you guys need for the scope defined? (The community bounty pool).

Hello! Thanks for your proposal!

It seems to me that the vault you guys offer is not yield bearing. Is that the case?

Hey @jameskbh,

Thanks for reviewing the proposal! Yes that is correct. At the moment we do not have yield for the vaults, however we do plan to enable them in the future. Currently projects with funded Vaults have the following benefits:

• Superfluid’s funded Vaults will be prominently featured on Immunefi’s Explore page, increasing researcher engagement. To maximize trust, we recommend funding at least 5x the low-severity bounty value, ensuring ample coverage for potential discoveries.
• Superfluid no longer needs to cross-verify wallet addresses with whitehats, streamlining security rewards. Bounties are processed in a single on-chain transaction, guaranteeing fast, secure, and automated disbursements.

Thanks to all who have submitted proposals and engaged with this RFP.

Initial timeline of this proposal had planned for submissions and feedback (step 2 here) to complete by 2 weeks after 17 April, which is today, before then moving on to (step 3) DAO Vote.

From the discussion above, would a 2 week extension to the feedback stage be helpful to clarify details?

Also, as the DAO voting process is currently being tested, this time extension would make it possible for this to be the DAO’s first live vote on Snapshot.

I think a 2 week extension would be helpful, allowing us to fine tune our proposal with whatever details the community needs.

Proposal text has been updated with additional details of specification.

As the person who is responsible for the current bounty program from Superfluid Finance LTD, here are the factors I consider worth considering about the community bounty pool program:

1. "Foot traffic/bounty size: " With the same bounty size pool, the higher on the list, visible to the whitehats, the better.
2. “Familiarity with Superfluid:” The Superfluid protocol is a unique and upcoming token standard compatible with ERC20; it is feature-rich and comes with many unique features in the Ethereum space. As a result, having white hats who are already familiar with the framework, e.g., through a prior auditing process, enhances the chances of them catching bugs.
3. “Low maintenance and efficient workflow:” The Superfluid protocol has a lean but well-trained staff engineering team for building and maintaining the ecosystem. At this stage, we don’t have a dedicated security person. We expect the bounty pool management to be largely hands-off, and the workflow to manage incoming bug reports or amend the bounty scope should be streamlined.

Thank you @hellwolf, for the context. Here’s how we plan to address the key factors above

Foot Traffic / Bounty Size

To maximize visibility and attract elite whitehats, Superfluid can utilize Vaults on Immunefi. Vaults give a powerful visibility boost, funded programs are algorithmically prioritized on the Explore page, meaning more eyeballs on Superfluid without needing to increase the bounty pool.

Beyond visibility, Vaults also streamline the operational side of things:

• Enable single-click payouts directly on-chain.
• Eliminate the need to manually verify wallet addresses with researchers.
• Reduce administrative overhead significantly.

As a best practice, we recommend funding the Vault with at least 5× your low severity bounty to enable smooth and fast payouts.

Familiarity with Superfluid

Superfluid’s unique token standard and advanced streaming architecture benefit from researchers already familiar with the protocol. Our proprietary HackerSync algorithm ensures just that. By analyzing 30,000+ past reports from 500+ programs, HackerSync matches your program with researchers best aligned with your tech stack, ecosystem, and product type.

This:

• Enhances the likelihood of critical vulnerabilities being caught.
• Reduces noise from less relevant submissions.
• Saves your team’s time while improving security outcomes.

Your program can also be tailored with privacy and operational controls including:

• KYC requirements
• Asset visibility restrictions
• Custom disclosure preferences

Low Maintenance & Efficient Workflow

We recognize Superfluid’s lean engineering structure, and we’re expanding Managed Triage options to give your team flexibility and peace of mind.

Immunefi’s triage tiers are built to save time, improve accuracy, and ensure smooth vulnerability resolution.

Baseline Triage Features:

• 24/7 monitoring of all submissions
• 12-hour SLA for smart contract issues; 24 hours for frontend
• Spam and invalid submissions are filtered out
• Reports are severity-checked and delivered quarterly with full metrics

Advanced Triage Options (Optional):

• Full technical reviews of each valid bug
• Impact assessments and direct collaboration with whitehats
• Immediate escalation for potentially catastrophic issues

Each tier comes with a dedicated triager and relationship manager integrated directly into your ops pipeline. From onboarding to scaling your program, they’ll be there every step of the way as an extension of your team.

More on Managed Triage

Mitigation Reviews

Beyond the listed offerings(Audit Competition, Bug Bounty Program and Early access to Magnus), Immunefi provides Mitigation Reviews ensuring Superfluid’s fixes are both effective and secure. This review includes:

• Deep technical analysis of the patch
• Identification of any bypass vectors, regressions, or incomplete fixes
• A formal technical sign-off before disclosure or further code changes

This final review phase ensures that every vulnerability reported is not just acknowledged—but fully and securely resolved.

We’re excited to work closely with the Superfluid DAO on these next steps. If you’d like, we can walk through triage tiers in more depth or suggest a bounty setup tailored to your goals.

Looking forward to your thoughts!

Thanks so much for this feedback and context @hellwolf.

We’ve edited our original post to add a bit more context on the design and timeline of our process, but we’re open to any questions the community might have.

We also agree wholeheartedly with the factors you believe are worth considering, and believe Sherlock is extremely well positioned to satisfy each of those factors:

"Foot traffic/bounty size: " With the same bounty size pool, the higher on the list, visible to the whitehats, the better.

As mentioned in our proposal, Sherlock offers Superfluid standout exposure. A $200k critical payout would land Superfluid on the first page of Sherlock’s hosted bounties. By contrast, the same $200k critical payout would put Superfluid at the 125th position on Immunefi’s bug bounty page - meaning just to discover that Superfluid’s bug bounty exists would require a bounty hunter to scroll past 124 other programs.

Along with being on the very first page of Sherlock’s hosted bounties, Sherlock has over 10,000 security researchers signed up on our platform; we can promote your program directly to this group of highly motivated and well-prepared researchers, offering a huge amount of professional eyes on the code immediately.

Lastly, we can amplify your program with strong comarketing and promotional activities.

“Familiarity with Superfluid:” The Superfluid protocol is a unique and upcoming token standard compatible with ERC20; it is feature-rich and comes with many unique features in the Ethereum space. As a result, having white hats who are already familiar with the framework, e.g., through a prior auditing process, enhances the chances of them catching bugs.

Again, we think Sherlock is best positioned here. We have deep expertise in the Superfluid protocol, having conducted a comprehensive audit of the protocol within the last six months. This recent engagement gives us unparalleled familiarity with Superfluid’s unique token standard and its feature-rich architecture within the Ethereum ecosystem. Our white hat auditors, leveraging insights from this audit, are exceptionally well-positioned to identify potential vulnerabilities and ensure robust security, aligning perfectly with the needs outlined in your RFP.

“Low maintenance and efficient workflow:” The Superfluid protocol has a lean but well-trained staff engineering team for building and maintaining the ecosystem. At this stage, we don’t have a dedicated security person. We expect the bounty pool management to be largely hands-off, and the workflow to manage incoming bug reports or amend the bounty scope should be streamlined.

Sherlock is extremely well suited to meet this requirement. We designed our bug bounty from the ground up to be easy-to-use and to reduce the time commitment required by the protocol team. Here are a few characteristics specific to Sherlock’s bug bounties that make it extremely simple and low-effort for Superfluid to manage:

1. Our proprietary dashboard lets your team effortlessly manage the program, updating the bounty scope with just a few clicks to minimize time spent.
2. A $250 deposit per submission filters out low-quality reports, substantially reducing spam while simultaneously funding our auditors to triage issues FOR you and keep your team free from noise.
3. Backed by our recent Superfluid audit and a dataset of thousands of researchers, our experts immediately validate submissions, providing fast, actionable feedback tailored to your codebase.

Superfluid will also have a dedicated point of contact from our operations team to handle any inquiries and help coordinate the onboarding and ongoing management of your program.

We’re looking forward to continuing to work together to help secure Superfluid. We’re open to any questions the team or community might have!

Thanks @Sruthi-Immunefi and @Sherlock for proposals and the clarifications.

These will be put to a vote next week pending feedback on the process by the ProtoDAO (more on that here).

I will post an update here next week. Wishing you all a good Easter holiday.