It seems that the pseudonymous developer ‘KP’ did everything immediately after discovering a vulnerability Link COMP
+0.91%
‘s v3 protocol, also known as Comet. The vulnerability would have allowed a hacker to steal money directly from users, albeit at a hugely unprofitable cost; it would cost an attacker billions in gas fees to steal $1 million in money, KP estimated.
After finding and validating the vulnerability, KP reported it to Compound and its security partner OpenZeppelin, along with a code repository containing a proof-of-concept simulation of the attack. The bug was immediately patched, so KP made a “modest” request to Compound DAO: a reward of $125,000, just over 80% of the maximum Compound DAO rewards of $150,000 for bug bounties, a figure prominently displayed on the program pages of the protocol. website.
In its proposal, KP explained that a bug bounty would help to “greatly motivate security researchers and developers in identifying and disclosing compound bugs and vulnerabilities in the future.” KP added that he is developing a startup based on the Comet Protocol, and that the reward would “significantly extend our runway and allow us to see through our efforts to provide value and become a pillar of the ecosystem .”
KP’s proposal brought support from Kevin Cheng, head of protocol at Compound Labs, and Michael Lewellen, head of solution architecture at OpenZeppelin, who praised KP’s professionalism in resolving the bug during the DAOs. discussion of the proposal.
Despite more than two-thirds support among delegates for the reward, the vote failed, losing only 15,000 votes of a necessary quorum of 400,000 votes to be adopted. The vote seemed far from successful for most of the voting period, although a last-minute vote by VC Andreesen-Horowitz yielded 256,000 votes in favor. Unfortunately for KP, this was not enough to reach a quorum.
Compound’s guidelines for the bug bounty program state that the protocol intends to “pay generous rewards for qualifying discoveries based on the severity and exploitability of the discovery,” although it clarifies that such rewards are “at the sole discretion of Compound” are determined.
KP’s case was also supported by Wintermute, although crypto VC firm Polychain failed to register any votes – even an abstention – despite being the largest holder of COMP tokens, according to Tally.xyz. None of the parties involved could immediately be reached by The Block for comment.
KP has since resubmitted the proposal, calling for a $100,000 reward instead.
