Compound

This is a resubmission of proposal #202 with a lower bug bounty reward amount which I believe to be in line with the DAO’s wishes, given the closeness of reaching quorum for the previous amount.

A heartfelt thank you to she256, PGov, Wintermute, and a16z for having voted in favor of proposal #202. While the proposal did not pass, your support did not go unnoticed and will not be forgotten by myself nor the broader community.

Background

NOTE: The vulnerability has been patched and no user funds are at risk.

For the full details and context related to the vulnerability disclosure, as well as discourse between the OpenZeppelin and Compound Labs teams, and Compound community members, please see here.

On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods. I was given the blessings from the OpenZeppelin and Compound Labs teams in making this proposal for the purposes of proposing a reward for my professionalism and collaboration in addressing the vulnerability.

Bug Bounty Program Reward

Leaning on the support from the OpenZeppelin and Compound Labs teams and other Compound community members (such as experienced security researcher Daniel Von Fange) for guidance and their assessment of reward fairness, I would like to make a humble ask for ~33% less than the maximum Compound Bug Bounty Program reward: $100,000 worth of COMP tokens, at $55.82 per COMP, rounded down; the COMP price was sourced from Etherscan (publicly and freely accessible) at 10:30am EST on December 9, 2023.

I am sincerely appreciative of the opportunity to have collaborated alongside the best teams and individuals in discussing and remedying this vulnerability, and look forward to continuing my contributions both as a Compound builder and vigilant community member.

Thank you very much for both your time and consideration.