Compound

Background

NOTE: The vulnerability has been patched and no user funds are at risk.

For the full details and context related to the vulnerability disclosure, as well as discourse between the OpenZeppelin and Compound Labs teams, and Compound community members, please see here.

On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods. I was given the blessings from the OpenZeppelin and Compound Labs teams in making this proposal for the purposes of proposing a reward for my professionalism and collaboration in addressing the vulnerability (in line with the Compound Bug Bounty Program payout range).

Bug Bounty Program Reward

Leaning on the support from the OpenZeppelin and Compound Labs teams and other Compound community members (such as experienced security researcher Daniel Von Fange) for guidance and their assessment of reward fairness, I would like to make a humble ask for ~20% less than the maximum Compound Bug Bounty Program reward: $125,000 (denominated in various assets from the Compound Timelock, using Etherscan as a publicly-accessible pricing source for non-stable assets, as of 7:30pm EST, Monday, December 4, 2023). All stable assets prices are fixed at $1.00.

|Asset | Units | Unit Price ($) | Value ($)|

|— | — | — | —|

|REPv2 | 515.49 | $0.703079 | $362.430194|

|USDT | 500 | $1.00 | $500.00|

|DAI | 740.40 | $1.00 | $740.40|

|BAT | 3,505.14 | $0.245071 | $859.008165|

|FEI | 6,324.34 | $1.00 | $6,324.34|

|UNI | 2,245.19 | $6.13 | $13,763.01|

|USDC | 50,000.00 | $1.00 | $50,000.00|

|ETH | 23.50 | $2,238.74 | $52,610.39|

| |  | Total | $125,159.58|

The table above has been verified to be formatted correctly on comp.xyz. If it is not displaying it correctly, please reference the following Google Docs spreadsheet (identical data).

I am sincerely appreciative of the opportunity to have collaborated alongside the best teams and individuals in discussing and remedying this vulnerability, and look forward to continuing my contributions both as a Compound builder and vigilant community member. Thank you very much for both your time and consideration.