• Proposal

  • OIP-122 Transfer of 250,000 DAI from OHM bagholders to 3 Watermelons Research

Note: posted on @0xwatermelon 's behalf, post written in their words.

Summary

I found very simple vulnerability in BondFixedExpiryTeller.sol contract deployed at BondFixedExpiryTeller. At the time of the exploit contract held 30,437 ($300k) which have since been returned. Previously I have reported another very simple vulnerability to Olympus DAO which I haven't been credited for affecting $7m in aOHMMigration.sol contract deployed at aOHMMigration. Bug was found upon deployment due to it's simplicity, any address had the ability to call function initialize() any amount of times, changing tokens that are being redeemed and drain entire OHM/aOHM balance. OlympusDAO 'developers' have not responded after fixing the issue.

Motivation

All proceeds will be used to fund work of 3 Watermelons Research.

Proposal

Call transfer(0x53a514bBf295A2345d42A9AaB2473978d150f00a, 250000000000000000000000) on DAI contract from OlympusDAO Treasury

Polling Period
The polling process begins now and will end at 03:00 UTC on 25/10/2022.

Poll
For: Action taken if this proposal is accepted.
Against: No action taken if this proposal is rejected.

Approve OIP-122 and send to Snapshot?

This poll has ended.

    Completely appreciate the whitehack approach and that there should be some compensation - thank you for your efforts. However, I'm not sure 250k is the right figure. I believe we need to hear from the team on the aOHMMigration.sol exploit - right now we can't attribute that to your efforts without verification. And as a portion of the one exploit we do know about 250/300k seems high. I believe the proposal should be reduced to 40% of the 300k funds saved, or 3 Watermelons Research should commit to conducting audits on Olympus contracts for a period of time to justify the full sum asked for. I'd approve either of those but not the current proposal at this stage - without further info on the other exploit mentioned.

    I don’t agree that a separate OIP should be done for bug bounties outside of the Immune.fi program. (https://immunefi.com/bounty/olympus/) If there is a legit bug and resolution, that should be reported through the process that we agreed to in OIP-38. Creating an alternative channel is not in the DAOs best interests and establishes a untenable precedent for future bug payouts.

    It’s commended that the white hack discovered these issues, and I think- based on the very little I know and understand of the incident- that a payout might be in order; it is best to allow the bounty team to assess, determine and inform us of the resolution and measured remuneration on the scale (refer to immune.fi page) within the program.

    Also, why DAI? Agreed Bounty program policy payout is in OHM.

    So I can see several sides of this and there's some nuance to be considered:

    Our Immunefi Bug Bounty cites up to 333k in compensation, paid for in OHM, for exploits that lead to toss of funds. It cites all the contracts that are in-scope for that offer.

    As I read it, the contract that was exploited doesn't actually fall under that bounty as it's part of the Bond Protocol Repo and went through their auditing channels:

    https://github.com/Bond-Protocol/bond-contracts/tree/master/src
    BondFixedExpiryTeller.sol

    That said, 0xwatermelon has essentially asked for an OTC and has also shown good faith by already having returned the funds. They've asked for $250k which is less than what would have been offered if the contract had fallen under ImmuneFi and also asked to be compensated in DAI.

    So just speaking to this specific exploit that was found and demonstrated to work, I think compensation is in order and an OTC offer can be made since it's out of scope. That said, I also think some internal discussion can be had with Bond Protocol since the contract exists within their repo and wasn't specifically for Olympus but part of their core suite.

    Both teams can consider if the ask is tenable and then sort out how best to fund it given responsibility. Olympus and Bond are partners but also separate entities with separate stakeholders so there will need to be consideration.

    Also, this contract falls within scope for the Code4Arena contest seen here:

    https://github.com/code-423n4/2022-08-olympus

    I could see a world where compensation is split between the allocated contest payout as well as some OTC on top.

      First of all, a big thank you to @0xwatermelon for uncovering this bug and for sending the full amount of the exploit back before even requesting anything from the DAO.

      Just to give a bit of context to the community here, we offered 0xwatermelon a bug bounty of 50% of the exploited amount, 15,218.5 OHM (~$150,000), which we thought was fair. However, we can also understand if 0xwatermelon and/or the community think differently.

      So, our suggestion would be that instead of potentially rejecting this vote due to a disagreement on the amount within the community, we vote on the following 4 options:

      1. $50k
      2. $150k
      3. $250k
      4. Nothing

      We believe $50k is too low for the service 0xwatermelon provided, but ultimately it will be up to the community.

      As part of the Bug Bounty Management team I will be voting in favor of this OIP. Per @shadow 's post I will be voting 3.
      I would like to ask @0xwatermelon to please reach out to me regarding the previously disclosed bug with aOHMMigration, as well as setting up a line of communication for any further disclosures.
      You are obviously a good faith whitehat and I want to make sure you can reach out to me as needed at any point in the future.

      Relwyn if we believe it falls outside the Olympus bug bounty and that the contract exploited was Bond Protocol's, but Olympus Bonders funds, then why is the OHM treasury on the hook for the full compensation at all? My understanding is that the contracts in questions were being developed while BP was still part of Olympus however so I can see a case for splitting the compensation payment between the two orgs? I find it interesting that an offer of 50% was made and that this was not mentioned in this RFC. At this stage, as per @shadow I believe the amount should be voted on and I would vote for 50%. As to whose treasury it should come from I'd like to see the full debrief from both Olympus and Bond Protocol. My thanks to both teams who I know have lost their weekends to dealing with this, appreciated.

        A slight aside, but one I think worth capturing - there is irony in that those who are Bonded, and were most at risk from losses here, will have less voting power on this when it goes to snapshot. It'd be good to understand if giving bondoors a snapshot is actively in the works - the discussion on discord is firmly for it.

        Against this OIP as-is, but not against compensating the whitehat.

        For one - I do not believe the Treasury (or bagholders as you so aptly named) should be what compensates a human oversight in contract development. The treasury belongs to Olympus the Protocol, not OlympusDAO the organization tasked with its oversight.

        Secondly, as many have stated, this particular bug came from Bond Protocol which, although recently spun out of OlympusDAO, is not officially part of OlympusDAO at the time of the hack.

        I am 100% in favor of a modified proposal here that sufficiently compensates the whitehat and provides recognition of their efforts. I also would like this person or group to consider providing on-going services as we work towards deeper decentralization and more automated contracts that may present more of a risk to "bagholders" 😜

        I am 100% for 3 Watermelons being paid $250k as bug bounty. But I'm against the current proposal for reasons similar to what @dr00 mentioned.

        1. The existing bounty framework clarifies that the payments should be in OHM and the OHM comes from the DAO funds not the treasury.

        2. Since these are Bond Protocol contracts BP should be responsible for at least 50% of this payment.

        In summary, I will vote for a proposal that pays $ 125k (in OHM) from DAO funds to 3 Watermelons, and Bond Protocol can pay 125k from the funds raised during their seed.

          z_33 agree with this. I would also suggest that the reference to aOHMMigration.sol exploit is removed before snapshot as I believe we are resolving the bondprotocol exploit here and don't have sufficient information on the former, it just muddies the water.

            abipup All for compensation but more worried that “simple” exploits were in the contracts to be found in the first place.

              I'm not as eloquent, but I think they should be compensated in Ohm and not in DAI as per other bug bounties terms.

              Simple. Pay me now or pay me later!

              Transparency for @0xwatermelon's $7m vulnerability claim. Recognition, reward and appreciation is what is in order here.

              Big thanks to watermelon to be transparent and act accordingly.

              I am against this proposal as such, however I do agree, we should compensate the efforts.

              As it seems clear, this should not be a n OHM topic at all, as the contract is the property of Bond Protocol, so any kind of appreciation in form of money should come from Bond Protocol. We were here the costumer, who was tricked due to lack of attention. with a 'basic' problem. I find it hard to convince me we should consider adding any budget to this compensations, this is purely a Bond Protocol topic.

              Strongly against this proposal for the following reasons:

              a) OlympusDAO is not associated anyhow with Bond protocol.

              b) In case there is a bounty to be paid (which Im sure there is) - it should come out from the Bonds protocol treasury.

              c) Bug found in aOHM should be delt separately from this.