OIP-122 Transfer of 250,000 DAI from OHM bagholders to 3 Watermelons Research

So I can see several sides of this and there's some nuance to be considered:

Our Immunefi Bug Bounty cites up to 333k in compensation, paid for in OHM, for exploits that lead to toss of funds. It cites all the contracts that are in-scope for that offer.

As I read it, the contract that was exploited doesn't actually fall under that bounty as it's part of the Bond Protocol Repo and went through their auditing channels:

https://github.com/Bond-Protocol/bond-contracts/tree/master/src
BondFixedExpiryTeller.sol

That said, 0xwatermelon has essentially asked for an OTC and has also shown good faith by already having returned the funds. They've asked for $250k which is less than what would have been offered if the contract had fallen under ImmuneFi and also asked to be compensated in DAI.

So just speaking to this specific exploit that was found and demonstrated to work, I think compensation is in order and an OTC offer can be made since it's out of scope. That said, I also think some internal discussion can be had with Bond Protocol since the contract exists within their repo and wasn't specifically for Olympus but part of their core suite.

Both teams can consider if the ask is tenable and then sort out how best to fund it given responsibility. Olympus and Bond are partners but also separate entities with separate stakeholders so there will need to be consideration.

Also, this contract falls within scope for the Code4Arena contest seen here:

https://github.com/code-423n4/2022-08-olympus

I could see a world where compensation is split between the allocated contest payout as well as some OTC on top.

First of all, a big thank you to @0xwatermelon for uncovering this bug and for sending the full amount of the exploit back before even requesting anything from the DAO.

Just to give a bit of context to the community here, we offered 0xwatermelon a bug bounty of 50% of the exploited amount, 15,218.5 OHM (~$150,000), which we thought was fair. However, we can also understand if 0xwatermelon and/or the community think differently.

So, our suggestion would be that instead of potentially rejecting this vote due to a disagreement on the amount within the community, we vote on the following 4 options:

1. $50k
2. $150k
3. $250k
4. Nothing

We believe $50k is too low for the service 0xwatermelon provided, but ultimately it will be up to the community.

As part of the Bug Bounty Management team I will be voting in favor of this OIP. Per @shadow 's post I will be voting 3.
I would like to ask @0xwatermelon to please reach out to me regarding the previously disclosed bug with aOHMMigration, as well as setting up a line of communication for any further disclosures.
You are obviously a good faith whitehat and I want to make sure you can reach out to me as needed at any point in the future.

Relwyn if we believe it falls outside the Olympus bug bounty and that the contract exploited was Bond Protocol's, but Olympus Bonders funds, then why is the OHM treasury on the hook for the full compensation at all? My understanding is that the contracts in questions were being developed while BP was still part of Olympus however so I can see a case for splitting the compensation payment between the two orgs? I find it interesting that an offer of 50% was made and that this was not mentioned in this RFC. At this stage, as per @shadow I believe the amount should be voted on and I would vote for 50%. As to whose treasury it should come from I'd like to see the full debrief from both Olympus and Bond Protocol. My thanks to both teams who I know have lost their weekends to dealing with this, appreciated.

A slight aside, but one I think worth capturing - there is irony in that those who are Bonded, and were most at risk from losses here, will have less voting power on this when it goes to snapshot. It'd be good to understand if giving bondoors a snapshot is actively in the works - the discussion on discord is firmly for it.

Against this OIP as-is, but not against compensating the whitehat.

For one - I do not believe the Treasury (or bagholders as you so aptly named) should be what compensates a human oversight in contract development. The treasury belongs to Olympus the Protocol, not OlympusDAO the organization tasked with its oversight.

Secondly, as many have stated, this particular bug came from Bond Protocol which, although recently spun out of OlympusDAO, is not officially part of OlympusDAO at the time of the hack.

I am 100% in favor of a modified proposal here that sufficiently compensates the whitehat and provides recognition of their efforts. I also would like this person or group to consider providing on-going services as we work towards deeper decentralization and more automated contracts that may present more of a risk to "bagholders"

I am 100% for 3 Watermelons being paid $250k as bug bounty. But I'm against the current proposal for reasons similar to what @dr00 mentioned.

1. The existing bounty framework clarifies that the payments should be in OHM and the OHM comes from the DAO funds not the treasury.

2. Since these are Bond Protocol contracts BP should be responsible for at least 50% of this payment.

In summary, I will vote for a proposal that pays $ 125k (in OHM) from DAO funds to 3 Watermelons, and Bond Protocol can pay 125k from the funds raised during their seed.

we like the watermelons

z_33 agree with this. I would also suggest that the reference to aOHMMigration.sol exploit is removed before snapshot as I believe we are resolving the bondprotocol exploit here and don't have sufficient information on the former, it just muddies the water.

z_33 agreed what you are proposing seems fair

I'm not as eloquent, but I think they should be compensated in Ohm and not in DAI as per other bug bounties terms.

Simple. Pay me now or pay me later!

Transparency for @0xwatermelon's $7m vulnerability claim. Recognition, reward and appreciation is what is in order here.

Big thanks to watermelon to be transparent and act accordingly.

I am against this proposal as such, however I do agree, we should compensate the efforts.

As it seems clear, this should not be a n OHM topic at all, as the contract is the property of Bond Protocol, so any kind of appreciation in form of money should come from Bond Protocol. We were here the costumer, who was tricked due to lack of attention. with a 'basic' problem. I find it hard to convince me we should consider adding any budget to this compensations, this is purely a Bond Protocol topic.

Strongly against this proposal for the following reasons:

a) OlympusDAO is not associated anyhow with Bond protocol.

b) In case there is a bounty to be paid (which Im sure there is) - it should come out from the Bonds protocol treasury.

c) Bug found in aOHM should be delt separately from this.

gm
first, I would like to thank @0xwatermelon as he (or they) did a nice job, appreciate your effort ser(s)

second, we are not here to argue about if, but how … whitehat(s) definitely needs to be rewarded, I'm personally for 150k or 250k but with participation from Bond Protocol, at least 50/50.

I am against the suggested amount but I am for paying the whitehat. I think 100K OHM and 33K DAI would be fair.