Proposals

Proposals

/

Proposal

Quorum not reached

Comet Vulnerability Disclosure (Patched) - Bug Bounty Program Reward

User profile image

by

by

kphed.eth

kphed.eth

ID 202

ID 202

Compound

Compound

Proposed on: Dec 5th, 2023

Proposed on: Dec 5th, 2023

Votes

Actions

Type

Address

Details

Proposal

Background

NOTE: The vulnerability has been patched and no user funds are at risk.

For the full details and context related to the vulnerability disclosure, as well as discourse between the OpenZeppelin and Compound Labs teams, and Compound community members, please see here.

On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods. I was given the blessings from the OpenZeppelin and Compound Labs teams in making this proposal for the purposes of proposing a reward for my professionalism and collaboration in addressing the vulnerability (in line with the Compound Bug Bounty Program payout range).

Bug Bounty Program Reward

Leaning on the support from the OpenZeppelin and Compound Labs teams and other Compound community members (such as experienced security researcher Daniel Von Fange) for guidance and their assessment of reward fairness, I would like to make a humble ask for ~20% less than the maximum Compound Bug Bounty Program reward: $125,000 (denominated in various assets from the Compound Timelock, using Etherscan as a publicly-accessible pricing source for non-stable assets, as of 7:30pm EST, Monday, December 4, 2023). All stable assets prices are fixed at $1.00.

|Asset | Units | Unit Price ($) | Value ($)|

|--- | --- | --- | ---|

|REPv2 | 515.49 | $0.703079 | $362.430194|

|USDT | 500 | $1.00 | $500.00|

|DAI | 740.40 | $1.00 | $740.40|

|BAT | 3,505.14 | $0.245071 | $859.008165|

|FEI | 6,324.34 | $1.00 | $6,324.34|

|UNI | 2,245.19 | $6.13 | $13,763.01|

|USDC | 50,000.00 | $1.00 | $50,000.00|

|ETH | 23.50 | $2,238.74 | $52,610.39|

| |  | Total | $125,159.58|

The table above has been verified to be formatted correctly on comp.xyz. If it is not displaying it correctly, please reference the following Google Docs spreadsheet (identical data).

I am sincerely appreciative of the opportunity to have collaborated alongside the best teams and individuals in discussing and remedying this vulnerability, and look forward to continuing my contributions both as a Compound builder and vigilant community member. Thank you very much for both your time and consideration.

Votes
Status