As part of the Bug Bounty Management team I will be voting in favor of this OIP. Per @shadow 's post I will be voting 3.
I would like to ask @0xwatermelon to please reach out to me regarding the previously disclosed bug with aOHMMigration, as well as setting up a line of communication for any further disclosures.
You are obviously a good faith whitehat and I want to make sure you can reach out to me as needed at any point in the future.
OIP-122 Transfer of 250,000 DAI from OHM bagholders to 3 Watermelons Research
Relwyn if we believe it falls outside the Olympus bug bounty and that the contract exploited was Bond Protocol's, but Olympus Bonders funds, then why is the OHM treasury on the hook for the full compensation at all? My understanding is that the contracts in questions were being developed while BP was still part of Olympus however so I can see a case for splitting the compensation payment between the two orgs? I find it interesting that an offer of 50% was made and that this was not mentioned in this RFC. At this stage, as per @shadow I believe the amount should be voted on and I would vote for 50%. As to whose treasury it should come from I'd like to see the full debrief from both Olympus and Bond Protocol. My thanks to both teams who I know have lost their weekends to dealing with this, appreciated.
A slight aside, but one I think worth capturing - there is irony in that those who are Bonded, and were most at risk from losses here, will have less voting power on this when it goes to snapshot. It'd be good to understand if giving bondoors a snapshot is actively in the works - the discussion on discord is firmly for it.
Against this OIP as-is, but not against compensating the whitehat.
For one - I do not believe the Treasury (or bagholders as you so aptly named) should be what compensates a human oversight in contract development. The treasury belongs to Olympus the Protocol, not OlympusDAO the organization tasked with its oversight.
Secondly, as many have stated, this particular bug came from Bond Protocol which, although recently spun out of OlympusDAO, is not officially part of OlympusDAO at the time of the hack.
I am 100% in favor of a modified proposal here that sufficiently compensates the whitehat and provides recognition of their efforts. I also would like this person or group to consider providing on-going services as we work towards deeper decentralization and more automated contracts that may present more of a risk to "bagholders" 
I am 100% for 3 Watermelons being paid $250k as bug bounty. But I'm against the current proposal for reasons similar to what @dr00 mentioned.
1. The existing bounty framework clarifies that the payments should be in OHM and the OHM comes from the DAO funds not the treasury.
2. Since these are Bond Protocol contracts BP should be responsible for at least 50% of this payment.
In summary, I will vote for a proposal that pays $ 125k (in OHM) from DAO funds to 3 Watermelons, and Bond Protocol can pay 125k from the funds raised during their seed.
we like the watermelons
z_33 agree with this. I would also suggest that the reference to aOHMMigration.sol exploit is removed before snapshot as I believe we are resolving the bondprotocol exploit here and don't have sufficient information on the former, it just muddies the water.
z_33 agreed what you are proposing seems fair
I'm not as eloquent, but I think they should be compensated in Ohm and not in DAI as per other bug bounties terms.
Simple. Pay me now or pay me later!
Transparency for @0xwatermelon's $7m vulnerability claim. Recognition, reward and appreciation is what is in order here.
Big thanks to watermelon to be transparent and act accordingly.
I am against this proposal as such, however I do agree, we should compensate the efforts.
As it seems clear, this should not be a n OHM topic at all, as the contract is the property of Bond Protocol, so any kind of appreciation in form of money should come from Bond Protocol. We were here the costumer, who was tricked due to lack of attention. with a 'basic' problem. I find it hard to convince me we should consider adding any budget to this compensations, this is purely a Bond Protocol topic.
Strongly against this proposal for the following reasons:
a) OlympusDAO is not associated anyhow with Bond protocol.
b) In case there is a bounty to be paid (which Im sure there is) - it should come out from the Bonds protocol treasury.
c) Bug found in aOHM should be delt separately from this.
gm
first, I would like to thank @0xwatermelon as he (or they) did a nice job, appreciate your effort ser(s)
second, we are not here to argue about if, but how β¦ whitehat(s) definitely needs to be rewarded, I'm personally for 150k or 250k but with participation from Bond Protocol, at least 50/50.
I am against the suggested amount but I am for paying the whitehat. I think 100K OHM and 33K DAI would be fair.
- Edited
I have some questions about the intention of attacker:
If he planned returning the fund at first;
1-why did attacker's wallet 0x443cf223e209e5a2c08114a2501d8f0f9ec7d9be was anonymized over aztec.network?
2-why did he call Zeus "idiot" publicly?
If he is a white hacker, and if there is something called "3 Watermelons Research" why he is cutting tie on twitter with 
.eth https://twitter.com/SpaceWigger/status/1554831916066476041 (This tweet was alive a few days ago), because the address doxxed?
β¦
I believe he realized someone knows his previous doxxed wallet was in touch with the team and this forced him to return the fund.
- Edited
I will vote no to this proposal.
I do think Watermelon has done everything right and should be compensated. However, it was Bond Protocols contract that was exploited, not Olympus. So the claim should be on Bond Protocol, or at the very least wait until we have clarity from Bond Protocol on how they will compensate Olympus.
A second formality is that treasury funds should not be used for development, research, audits etc. That should come from the Olympus DAO.
Chiming in from Bond Protocol. We do not feel that Olympus governance is the appropriate avenue to resolve a bug bounty with @0xwatermelon. If the expectation is that Bond Protocol is covering the bounty, then the amount should not be decided by external parties. We are pursuing alternative means to compensate the hacker, but we don't have enough clarity to post details publicly.
We are glad that Olympus supports good faith behavior for returning lost funds, but we also think we should be allowed to respond on our own terms. Therefore, we recommend voting NO on OIP-122 pending an update from Bond Protocol.