Background
Bond Protocol Incident Report
OIP-122 Bug Bounty
Update from Bond Protocol
Summarizing the content of our recent Security Update, we want to update the community on the status of the bug bounty for the Fixed-Expiry Teller exploit. Bond Protocol has paid out a bug bounty of $75k, equivalent to roughly 25% of the exploit funds. In communication with the hacker, we requested signatures from the exploit address for the following messages. Anyone can verify the authenticity of these messages using tools such as Etherscan or My Ether Wallet.
Exploit Address:
0x443cf223e209E5A2c08114A2501D8F0f9Ec7d9Be
I am the owner of this address and have communicated with Bond Protocol about a bug bounty. In return for my services in identifying the Fixed-Expiry vulnerability and recovering the funds at risk, I accept a bounty equivalent to 25% of the recovered funds. Upon receipt of the bounty, I consider the matter closed between myself and Bond Protocol.
Signature:
0x986b1ab6ce4a688f027cdf46aa1446aecc2498fcfb3a7b2a481e32a158d8001f000f5b2054c24704aead06544ac0ebd825917925bdeaf7472a4159947351cd7f1b
I confirm that I have received the bug bounty and feel fairly compensated for my services.
Signature:
0xee1a04566eb25a4c47c70b322714d4a127eda6de48fe20b4b46e741177ddb6c3684cde5ce9f34efce3976b941c7c6bc0728749a1c967b1d2e68a5f87e2c3de471b
Conclusion
An in-depth security review has revealed some best practices from OlympusDAO, including a combination of expert audits and incentivized peer review via code contests. Upon reopening bond markets, we will also implement a bug bounty program through ImmuneFi.
To the OlympusDAO community, thank you for your patience while we resolved the bounty.
We welcome feedback on the security measures we've taken and encourage discussion about the bounty payout.