Improve Protocol Security Practices

Opportunity Issued: Q4 2025 (initial term through H1 2026)

Roadmap State: Now

Term: Initial up to six months · Six-Month Review & Renewal Assessment in Q2 2026

Owner: Foundation (program & treasury) · Security Committee (oversight) · Sidestream (Protocol Engineering & Security Partner)

Funding: SPE

1. Purpose

What specific problem does this solve? How does it align with and advance the vision? Why now?

All network value depends on protocol security. The Livepeer protocol secures significant on-chain value that continues to grow as the network expands into real-time AI video inference — but the current security and protocol-engineering model relies on Livepeer Inc and places a heavy load on the Security Committee. That dependency constrains core feature development, slows protocol progress, and concentrates operational risk in a small group of people who already carry too much.

The Protocol R&D SPE resolves this by establishing a professional, continuously staffed function responsible for vulnerability triage, safe upgrade preparation, and shipping additional protocol features — including a reliable public testnet for rigorous validation. It contracts a dedicated Protocol Engineering & Security Partner (Sidestream) under the joint governance of the Livepeer Foundation and the Security Committee.

Why now: Immunefi has historically protected tens of millions in protocol value at $75–100k/year in payouts, but first-response and patch-implementation capacity remain bottlenecked. The SPE turns that bottleneck into a durable, accountable structure as the network decentralises.

2. Outcome

What does overall success look like? What are the tangible key results?

Mission: the most secure, resilient, and continuously improving protocol foundations possible for Livepeer, at the best possible price-to-value ratio.

Overall success is when the Foundation and Security Committee can point to a single, accountable structure that (a) detects and resolves vulnerabilities on a known clock, (b) ships protocol upgrades from the existing backlog without further Security Committee overload, and (c) operates a public testnet that the rest of the ecosystem actively uses for validation.

Key Results (H1 2026):

Continuous Immunefi coverage — valid reports acknowledged within 24 hours, triaged within one week; critical issues resolved or escalated within agreed timelines.
At least one backlog feature or patch deployed to mainnet per release cycle — drawn from the protocol R&D pipeline.
Public testnet live with ≥99% uptime — faucet, CI integration, reproducible deployment tooling, actively used by developer and client teams.
Foundation protocol engineer hired by end of Q1 2026 — supporting development and triage coordination.
Six-Month Review — performance and financial review concluded by the SPE Board in Q2 2026; results published; renewal proposal prepared.

3. Requirements

Must Have

Protocol Engineering & Security Partner contracted and operational (Sidestream) — security and triage procedures aligned with the Security Committee.
First-response capability for Immunefi reports — reproduce, validate, propose patches in coordination with the Foundation Technical Lead and the Security Committee.
Lightweight triage pipeline — established and used to prioritise and sequence backlog work each release cycle.
Backlog deployment — Reward Call Delegation, Ticket Distinction, inflation-bounds Minter upgrade, upgradable Minter proxy architecture, and stability patches shipped to mainnet on a release cadence.
Public testnet — continuously available, with faucet, CI integration, and simulation tooling.
Audits line item — significant protocol changes receive appropriate security review before deployment.
Multisig SAFE — funds held with a threshold of trusted signers from the Foundation and Security Committee.
Quarterly readiness reviews — strengthening detection, response time, and coordination.
Quarterly public reporting — transparency on operations, milestones, and spend.

Should Have

Foundation protocol engineer onboarded by end of Q1 2026 — supports triage, coordination, and reduces single-partner dependency.
Reproducible deployment + virtualised upgrade simulation tooling — extends governor-scripts work already delivered under prior grants.
Devnet / private-net workflows — clear documentation so client and integration teams can test before mainnet.
Foundation-managed Immunefi payouts in the short term — preserves treasury capital for other strategic initiatives.

Nice to Have

Ticket Distinction full implementation — pending ecosystem input on the existing spec + PoC.
Payment Clearinghouse Distinction, Stablecoin Payments, Vote Delegation, TransferBond Recipient Approvals, anti-reward-farming mechanisms — candidate backlog items, subject to triage.
Cross-chain liquidity / bridging improvements — explored only where security guarantees are preserved.

Out of Scope (this SPE)

Final upgrade authorisation and execution — retained by the Security Committee as the final security checkpoint.
Operational details of security practices — not published; held within the Security Committee and Partner.
Inflation parameter changes and other governance-driven protocol changes — surfaced via triage but executed under separate community / LIP processes.

Already Shipped / In Flight (under prior Sidestream grants)

Inflation-bounds Minter update implemented.
Upgradable Minter proxy architecture designed and tested.
Two independent implementations of Reward Call Delegation.
Multiple Immunefi submissions reproduced, analysed, and mitigations proposed.
governor-scripts tooling extended for reproducible deployments and upgrade simulations.
Ticket Distinction preliminary spec + PoC complete.

4. Key Milestones

		Milestone Target Description
Partner Onboarding Completed	Q4 2025	Sidestream contracted and operational; security and triage procedures aligned with the Security Committee.
Continuous Immunefi Vulnerability Response	All of H1 2026	Full first-response capability: reproduce, propose fixes, coordinate Security Committee review, ensure continuous coverage.
Public Testnet Live	Q1 2026	Stable, persistent public testnet with faucet, CI integration, and reproducible deployment tooling.
Triage Pipeline Established & First Upgrade Shipped	Q1 2026	Lightweight triage process established and validated by at least one feature or protocol upgrade shipped to mainnet.
Triage Pipeline Updated & Additional Upgrade Shipped	Q2 2026	At least one additional upgrade triaged and deployed to mainnet.
Six-Month Review & Renewal Assessment	Q2 2026	Performance and financial review concluded by the SPE Board; results shared publicly; renewal proposal prepared.

6. Risks & Open Questions

Single-partner dependency — Sidestream is the sole contracted Partner; Foundation protocol engineer hire (end of Q1 2026) is the primary mitigation.
Security Committee load — the SPE reduces but does not eliminate it; quarterly readiness reviews track whether the load actually moves.
Treasury exposure to Immunefi payouts — Foundation covers in the short term; long-term funding source for bounties is an open design question.
Backlog sequencing — selecting which backlog features ship each cycle requires the lightweight triage process to land early; otherwise the SPE delivers without prioritisation rigour.
Testnet adoption — ≥99% uptime is necessary but not sufficient; success requires developer and client teams to actually use it.
Renewal decision — the six-month review must produce a clear go/no-go signal with public reasoning, not a default extension.

Livepeer