Fuse Stable Swap Bug Bounty + Reward Program

Summary

I am requesting FUSE funds to incentivize community participation in a newly developed StableSwap pool on Fuse. The funds will be used to

• Reward liquidity providers for the DAI<>USDC<>USDT pool on fuse
• Pay out bug bounties for any security vulnerabilities discovered within the StableSwap pool(s).

The final deliverable will be a pool deployer, trade router, and web interface for users to interact with the pool. Fuse stable swap is intended to become a public good for the fuse ecosystem, so once it is finalized, a plan will be devised to hand over possession of the codebase to FuseFi, with the end goal being integration with the FuseFi app.

Rationale

StableSwap pools are a common DeFi primitive popularized by Curve.Finance. They allow for efficient swaps between assets which should track the same value, such as DAI and USDC, which are both worth roughly 1 USD. Currently the only decentralized swapping mechanism on Fuse is FuseSwap. By implementing StableSwap, Fuse users can achieve better rates in swaps between different stablecoins, and LP providers can get returns with lower risk of impermanent loss.

As the usage of bridges across chains grows, as well as the invention of new DeFi primitives such as interest-bearing tokens or staking tokens, we will see increased need to swap between assets of similar kind. For example, it may be useful to swap between Bridge A’s version of USDC and Bridge B’s version of USDC, or perhaps to Ola Finance’s interest-bearing oUSDC token.

StableSwap pools are an essential DeFi primitive. At time of writing, Curve.finance has a TVL of over $10 billion USD. This illustrates the popularity of such a primitive, as well as the great risk incurred by creating such a pool. The funds requested here will be devoted towards increasing the security of the Stableswap protocol.

The funds requested here will go towards incentivizing community testing (through use) of the StableSwap implementation on the Fuse network. This will serve to increase awareness to help bootstrap liquidity and network traffic, as well as to incentivize the discovery of any bugs early on.

Objectives

The objective of this grant proposal is to bring attention to the first pool (between DAI, USDC, and USDT) and get users interacting with it. DeFi protocols become more secure as there are more eyes on them. By incentivising users to interact with the pool and report bugs, we can strengthen the protocol before and after it begins managing real funds. Plus, we can increase the value proposition of using FUSE!

Deliverables

• A pool between DAI, USDC, and USDT already exists. More information can be found here. This pool includes a RainMaker-style rewards disbursement mechanism, so once grant funds are allocated, they can be simply and trustlessly distributed.
• Documentation! All about how Fuse-StableSwap works
• A procedure for the community to launch new pools safely and trustlessly
• A procedure for the community to take over ownership of Fuse Stable Swap for use in FuseFi

Budget:

• 80,000 FUSE
  • 30,000 FUSE to be distributed over the course of 30 days, proportionally to depositors in the pool.
  • 50,000 FUSE to be reserved as a bug bounty for the StableSwap pools. Bug reports will be assessed on an individual basis. Rewards for bugs are as follows:
    • High severity: 10,000 FUSE - High severity bugs represent a likely or very likely impact to the protocol which may render it completely broken, or may cause severe loss of funds
    • Medium severity: 5,000 FUSE - Medium severity bugs represent unlikely bugs which may have severe impact, or likely bugs with moderate/low impact to protocol usability or user funds.
    • Low severity: 1,000 FUSE - Low severity bugs represent unlikely bugs which may have a low impact on protocol usability or user funds.

Contributors

• Eric DeCourcy (2+ years solidity smart contract experience)
• Alanna Larson (frontend design and javascript experience)

Great idea.

I’ve not read widely on these pools yet.

1. Are liquidity providers exposed to Impermanent Loss and if so, would the 1000 Fuse per day cover that?

2. Are the bug bounties for finding or fixing the bugs?

3. Who controls the contracts and what are the risks of exploits etc?

4. How does the team cover their costs - time to dev, manage, documentation etc.

5. For each swap, is a fee taken?

Thanks

1. Are liquidity providers exposed to Impermanent Loss and if so, would the 1000 Fuse per day cover that?

In short, no, there is no impermanent loss with these pools since all assets should have the same value (for example, DAI and USDC are both $1). However, micro-fluctuations in stablecoin prices could create micro-impermanent loss. Also, in the unlikely event a stablecoin loses it’s value (for example, if DAI crashes to zero) the LPs would likely lose all funds. We sort of have to trust that this won’t happen, and also note that similar risk exists for LPs of a uniswap-style AMM.

2. Are the bug bounties for finding or fixing the bugs?

That can be discussed. I’d lean towards finding, since fixes may be vectors to introduce vulnerabilities. WDYT?

3. Who controls the contracts and what are the risks of exploits etc?

Currently myself, but the plan is to hand over control of the protocol to FuseFi. As the admin, I have the ability to change the following, with the following effects:

• The swap fee. This will increase user’s fees, which go to LP’s. Max swap fee is 1%.
• The admin fee. This is a portion of the swap fee which does NOT go to LP’s, but instead goes to me, or whoever the admin is at the time.
• The amplification parameter. This affects slippage when trading with the protocol.
• The withdrawal fee. In later versions i plan to remove this entirely. It’s a vestigial feature. Right now it is 0 and I intend to keep it that way.
• The LP cap. The cap limits the total number of LP tokens which can be in circulation. It can never be set below the current supply of LP tokens. This is a safety feature which will eventually be set to the max value (0xfff…fff).
• The “pause”, which shuts off swaps, deposits, and some types of withdrawal. Note that pausing does not affect balanced withdrawals. This is intentional so users can always get their funds out.

4. How does the team cover their costs - time to dev, manage, documentation etc.

We formerly received some funds in exchange for our work, which will end once we hand off control of the protocol to FuseFi. I’m happy to discuss future engagements, though.

5. For each swap, is a fee taken?

Yes, it’s extremely low right now. Currently 0.000001%, but I’m planning to raise it to 0.05%

Thanks for all the questions! Please keep them coming