The Watchdog: Arbitrum DAO's Grant Misuse Bounty Program

Interesting proposal!

As others mentioned, there are some definitions that are too broad, so it would be interesting to have it outlined in the proposal, to act as a guideline to those will act as the watchdogs, for example.

As we are mentioning incentives programs, SPs, Protocols, grants, “anyone that receives funds”, it is important to have a definition of what misuse of funds represent on each scenario.

Similarly, a list of desired skills for those external parties for each case (grants, incentive programs, etc) is important, as the skill set needed to review a report from a grantee that did not build what was agreed on is different from the one to check if the incentive distribution was done correctly or not.

Lastly, I have a question: I believe it is implied (meaning the answer is “yes”), but is the program is to be retroactively applied to all previous programs?

We are pleased with this proposal and are willing to vote in favor, but we have a few questions we would like to clarify:

  • Should the reports follow a specific structure or include key data? We believe it is important to define this clearly to facilitate a faster evaluation process and quickly discard reports that do not meet the criteria.
  • Is it possible to establish a minimum time for reviewing the reports? This would help ensure the process is efficient.
  • We suggest that the community participate in the selection of reviewers. One option could be to create a list of pre-approved reviewers by the community who can step in if there is a conflict of interest with the three main reviewers.
  • It would be helpful to clarify whether it is planned to post on the forum the payments made along with the corresponding reports. Has this been considered?

Hello, first of all, we love this proposal, and we have a particular interest in the following topics:

It’s not entirely clear how the severity levels (low, medium, high) for reported cases will be determined. If possible, it would be helpful to include a more detailed explanation or a rubric specifying the factors considered, such as economic impact, intentionality, or damage to the ecosystem.

How will cases involving unfounded or even malicious reports be handled? For example, could temporary suspensions be implemented for individuals who repeatedly submit reports without sufficient evidence? This could help balance the evaluation team’s workload and encourage responsible reporting.

On the other hand, what would happen in the hypothetical (though unlikely) scenario where an active investigation leads to the case being rectified while the report is still open? In such a situation, we might not know if the rectification resulted directly from the report. Would the whistleblower still be compensated? Additionally, would the parties responsible for the initially flagged case receive a “strike” or some other form of record for the detected non-compliance?

Finally, a broader reflection: How will the “Watchdog” program ensure a healthy balance between vigilance and trust within the ecosystem? The proposal is well-structured, but it seems unlikely to lead to collective hysteria or witch hunts. We wonder if there’s a plan to prevent an excess of speculative reports from negatively impacting the collaborative and creative environment of the community.

to clarify this, snapshot is updating the shielded voting feature soon, so that it will be possible to specify, per proposal, if the proposal author wants to have shielded voting or not.

this helps our use case quite a bit, since after this is live in production, Arbitrum DAO proposal authors on snapshot won’t need to coordinate with the AF to enable and disable the shielded vote setting on the space level.

4 Likes

I welcome this proposal because it is a move towards better accountability. However, I believe that the idea of a bounty itself reflects a broader issue which is a lack of a monitoring system for all money granted. If every initiative had clear metrics and continuous oversight, finding misuse of funds would be much more effective before the need for outside bounty hunters. It might be useful to consider a broader mechanism to identify potential misuse early on so that reactive measures as this one become a second line of defense rather than the first.

That being said, and considering the current state of affairs within the DAO, I agree that a bounty system is in order. About the bounty amount, I share the feeling expressed by other delegates that a fixed reward may be disproportional in the case of small value ARB abuse, such as 4K ARB recovered versus a 5K ARB bounty. In these cases, a better scheme would use a progressive scale or dynamic limit, considering the value of misappropriated funds to maintain the expenses proportional.

The idea of a tiered system may be a base reward for lower levels of misappropriation, scaling upwards with the size or severity of the finding to compensate fairly without overpaying. Another suggestion would be to set an adequate small, fixed payout for any verified report, complemented by a percentage bonus in case of successful fund recovery. These adjustments could keep relative expenses compatible while maintaining healthy incentives for whistleblowing.

I also support the involvement of the Research member and would consider integrating the Risk and Security members from ARDC if deemed necessary and of course, considering the proposal/initiative being analyzed. Their expertise would add weight to the review and help overcome any blind spots in the detection of exploits.

This is an amazing idea. I’m very much in favor. The issue remains, sometimes the price you put on the relationship you have with someone at fault might be higher than the proposed rewards. We should think of a way to allow for anonymous reporting and the ability to still receive rewards. I also agree with the shielded voting idea - I think that would help a lot.

tldr: Amazing idea, but for this idea to really work, we need as much privacy as we can.

Gauntlet supports this initiative and believes an emphasis on reporters’ privacy is appropriate. Further, increasing guidelines for Low, Medium, and High would be ideal for the final iteration of the proposal.

Is there an estimate for how many misuses have been reported and how those might have been rated under this framework? It might be helpful to include some examples to guide the DAO on what a High misuse is compared to a Low misuse.

I think this proposal has the potential to effectively improve the transparency and governance of the DAO, particularly in terms of the use and distribution of funds. However, the success of the proposal hinges on setting reasonable reward standards and reporting mechanisms, as well as ensuring a fair and transparent investigation and decision-making process. If these issues can be effectively addressed, the proposal could bring about positive changes.

Coming a bit late to the discussion, so won’t likely add too much value here compared to the discussion.

This program is needed because I know for a fact that people are “scared” of reporting misuse. There is no incentive in a structure like a DAO to do so, you only create enemy for yourself, more so if you are part of a protocol. So the program is needed, and having a redacted identity for the whistleblower is paramount.

Main concern is that we go into a witch hunt as others said; this can either happened because the general sentiment of the DAO is quite adversarial (which is not right now and I don’t see necessarily happening but could indeed happen) or because the program is abused by externals.
While former is a somehow greater responsibility on the shoulders of everybody in here, the latter could maybe be partially mitigated.

I don’t think we can realistically have “punitive” measures. Even if the whistleblower KYC with the foundation, what measure can we apply? Ban from DIP? Doesn’t seems to get any effect if the person was not going to participate anyway.
Ban from grant program? Only works if the person has affiliation with a protocol, and this affiliation is stated before hand in the KYC, but this info cannot be likely verified without breaching the identity of the user somehow, which is a key part of the program.

It could also be hard to identify a fake report from a report that is just wrong in the interpretation: we will have situations with smart contract interactions not easy to review, and they could be misunderstood by a reported in good faith. At the same time, a report in which we have fake/forged evidences can be instead evaluated as malicious.
So this last case is probably the only one that could lead to an exclusion, of the individual, to

  • the DIP program
  • any role in the DAO
  • any participation of protocols that have him as member to the grant program.

But what is mentioned above is something extremely serious, punitive and heavy, and again should be only done in case of a clearly blatant fake report aimed at damaging an innocent third party; likely would need a DAO vote.

All of these are things for which is difficult to draw a line in the sand, if that was possible we would just outsource the judiciary system in the world to computers instead than to people; I trust the committee, entropy and the foundation to have the best interest of the DAO in mind to do the right thing paired with their experience. On this note, plugging in people that understand incentive mechanisms can be a +ve to facilitate the work, and that’s why ARDC members are a good choice since most of them up to some degree had a role, or judged, or created report, on previous grant programs that we had in the DAO.

In general I also second the better classification of low/medium/high. I think it could be structured with a few key metrics, specifically: amount of capital impacted, and how the funds are misused. Misusing funds can be a lot of things: having capital that should have been allocated to development, and is instead used in marketing, is a misuse, but likely less severe than wash trading from the protocol to get the funds for example.
A simple matrix of the amount of money, plus subcases on the type of misuse consequences, could help, knowing that in the end not all cases can be put on paper and it will be more of an indication than anything, and will have to be upgraded over time.

As a final note, I think is fine to have the program fall into the opco at a later date; BTW in the OpCo i see the program running in the same fashion, with the OpCo potentially replacing Entropy or Foundation in the committee. I don’t think we can exclude ARDC: again, to evaluate certain interactions in smart contracts to draw a judgment, we will need technical expertise that might just not be in the OpCo itself.

Thanks @Entropy for the proposal

EDIT
Have a question. Knowing that the KYC part could potentially scare some whistleblower, is there a way, from a compliance standpoint, to have this program created without KYC? Not a lawyer here, maybe the Foundation can answer, but in the end we give for granted that “everybody that interacts with money flowing from the dao has to kyc” and maybe there is a ground for not doing it here?

For example, there could be a ground for a whistleblower being non KYCed if they don’t want a reward. This case should take in account in the program.

Good initiative, thanks for the detailed proposal.

I have a few questions.

As far as I know, ARDC has its own budget. Why don’t we use it for this program? The committee will choose who will participate in the audit and pay them compensation from its budget. This will also reduce the time for choosing a committee member for audits.

If the grants are expressed in ARB, will we pay bounties in stables? After all, the base reward is paid in ARB.

The proposal is quite good and whistleblowing ensures in every organization a better level of transparency and accountability. Good job!

This seems important to me. Most will be driven by $$ motivations, but there will be people who will just want to make sure that something is addressed and reported, without compensation, and we should make the process smooth for them.

Great proposal @Entropy ! I think it’s a big step towards greater transparency and accountability with funds.

In my opinion, it is crucial that the selection of reviewers is completely transparent to avoid any favoritism. It would be great to consider creating something like a rotating committee of reviewers to avoid internal conflicts of interest, and also establish clear sanctions for those reviewers who do not act objectively and ethically.

Another thing i wonder is what measures will be taken to ensure that reports of misuse are not leaked before being verified? I would love to see a detailed plan with possible scenarios; I think this would improve the proposal and increase the community’s trust. Additionally, it would be convenient to study the option of allowing observers to choose to submit the report anonymously or publicly.

Good proposal. Will the RFP be a public process or conducted behind cloaed doors by Entropy? From the proposal this wasn’t very clear.

I would likely setup a mechanism to review the bounty amounts before exhibition of funds. Maybe the watchers can evaluate this quarterly and get ratification via quorum-meeting snapshot vote?

I also understand that ARDC would only get funds for an audit/investigation and otherwise no? This would be my preference anyway as it seems unnecessary to have them be paid for this unless an audit they’re needed for is triggered.

Thank you to all the delegates who have provided feedback! There have been several great suggestions and areas identified as needing clarification. Both a response to questions and an updated version of the proposal will be posted this week. The Snapshot vote will be delayed by 1 week to January 16th.

3 Likes

This proposal is a great step forward for accountability in the DAO. With so many funds allocated, it’s important to have a system in place to ensure they’re used properly and to build trust within the community.

One thing that could make this even better is a clear report template. It would help people provide all the necessary details, like fund amounts, evidence, and the impact of the misuse, making the review process much smoother.

Another key point is anonymity. People need to feel safe when reporting issues, and keeping their identities private is crucial for that. Without this, many might hesitate to come forward.

It’s also important to recognize that not all misuse is the same. Defining levels of severity—like minor errors versus intentional fraud—would make the program fairer and more effective, with appropriate actions for each case.

This initiative feels like a big win for transparency and accountability. It’s a thoughtful approach to maintaining trust and integrity in the DAO, and I’m excited to see it come to life!

Thank you, @Entropy, for sharing such a forward-thinking and impactful proposal. Programs like these are crucial in enhancing transparency and accountability within decentralized ecosystems. Overall, we’re very supportive of this proposal and the positive outcomes it seeks to achieve.

We see this initiative as a novel adaptation of bug bounty programs, shifting the focus from technical vulnerabilities to non-technical issues such as fund misuse. Given bug bounty programs’ success and widespread adoption in the technical space, we suggest closely following a similar framework. Bug bounty programs have been battle-tested over time and provide valuable lessons in structuring rewards, categorizing severity, and ensuring due process.

Here are a few specific suggestions for consideration:

  1. To improve clarity and ensure fairness, each severity category (low, medium, high) should include a list of misuse scenarios or some concrete examples that would fall into each category. This will help community members and the review committee make consistent assessments.
  2. We suggest providing grant or incentive recipients the chance to remedy the issue if it falls into the “low” or “medium” severity categories. This approach ensures that unintentional or minor oversights can be addressed constructively. Recipients should face stricter consequences for more serious issues, such as those in the “high” category. A temporary ban (e.g., 6-12 months) from receiving additional grants or incentives could act as a deterrent while leaving room for future participation once trust is restored.

Incorporating the above points can help balance enforcement with fairness, aligning the program’s execution with the collaborative and open values of the DAO.

Thank you for the proposal, @Entropy. It is a good step toward ensuring that Dao grants are utilized as intended.

The only question we have is regarding the classification for Low, Medium, and High levels of misuse. Is this tied to how the funds were inappropriately used, the amount of funds misused, or a mix of both? We would recommend a mix of the type of inappropriate usage (which is subject to the committee’s review) and the amount of funds that have been misappropriated for use outside of the awarded grant’s allowed use.

That’s our feedback now and we are in favour of this proposal.