This bounty aims to allocate up to 100,000 DOT for covering bug bounty rewards for Open Runtime Module Library (ORML). ORML is a community-maintained collection of Substrate runtime modules, widely used across the Polkadot/Kusama parachains.

Context of the bounty:

The Open Runtime Module Library is a community-maintained library widely used by parachains across Kusama and Polkadot ecosystems. It’s a set of runtime pallets for commonly used functions that parachains may need. It allows constructing parachains with less time for development and focusing more on unique features. This helps the Kusama/Polkadot ecosystem grow faster.

Vulnerabilities in ORML are a common problem of Kusama/Polkadot community and will affect the whole ecosystem. Acala Foundation is running a bug bounty program that includes the ORML library. We propose to allocate up to 100,000 DOT to cover ORML part of Acala Bug Bounty.

Problem Statement

ORML is a commonly used library across the Kusama/Polkadot ecosystems, vulnerabilities and security issues of this module will likely affect the whole network.

Custody of funds

The main curator is suggested to be a multisig wallet controlled by Acala, Parity and potentially other users of ORML. Those who control the multisig wallet will be able to assess the validity and severity of found vulnerabilities, as well as to check their fixing.

Curator Multisig Candidates (3/5 multisig)

Bryan Chen @ Acala
Bryan is the co-founder & CTO of Acala as well as the initiator and core contributor of ORML. He is also one of the top community contributors to Substrate and Polkadot.

Shaun Wang @ Acala
Shaun is one of the core developers at Acala, and core contributor of ORML. He is also an active contributor to Polkadot, Substrate and Cumulus.

Shawn Tabrizi @ Parity
Shawn is one of the Lead Developers at Parity Technologies working on Substrate, Polkadot, Kusama. He specializes in FRAME, Runtime development, and benchmarking.

Wei Tang @ Parity
Wei is one of the core developers at Parity Technologies. He maintains Frontier, the Ethereum-compatibility layer for Substrate.

Shumo Chu @ Manta
Shumo is a co-founder of manta.network, the privacy layer for Web3 using zkSNARK. He was serving as research scientist at Algorand and assistant professor at UCSB before Manta.

Additional costs

Acala team uses Immunefi as a service for managing bug bounty programs.
Immunefi charges an additional 10% for each reward paid to whitehat. The service gives the next advantages:

• Manages privacy in submitting reports helps ensure that the vulnerability is fixed before being exposed to publicity;
• Immunefi serves as a third trusted party for resolving conflicts in submitting the same vulnerability by different bug bounty hunters;
• Provides secure communication with whitehats;
• Tracking & filtering out irrelevant reports;
• Exposure to a wide set of whitehat hackers.

Cost Estimate

It is not possible to precisely estimate costs, as we don't know how many bugs with what severity can be found. Acala is working hard on finding vulnerabilities ourselves and doing frequent security audits. We propose to allocate rewards that will cover ~1.5 of the most severe bugs; and, if necessary, we can propose another allocation.

Technical Process

Bug bounty rewards for ORML are paid in DOT. Each vulnerability needs separate payment, for which can be created child bounties with reward amount and 10% of Immunefi fee. The child bounty is curated by Immunefi team wallet, with the support and supervision of the on-chain curator, and they manage to pay out to the whitehat and take their commission.

The following consists of the next steps:

• Whitehat submits bug report to Acala via Immunefi;
• The report will be accessed by the Acala team for its validity and specified level of severity;
• The bounty details will be disclosed to the relevant party (e.g. Parity and affected parachain teams);
• After the bug is mitigated, the Acala team will determine the bounty value based on severity along with the curator;
• A child bounty will be created by the curator and funds transferred to pay out whitehat + fee to Immunefi for the work completed.

Measure of Success

Vulnerabilities and security issues of ORML found by whitehat from bug bounty programs are carefully fixed on time.