ELIP #2 - Bounty payment for critical vulnerability found by samsczsun

Elastic Improvement Proposal #2

Bounty payment for critical vulnerability found by samsczsun

Background

samczsun, is one of the prolific white hats in the industry.

samczsun has found critical bugs in more than 29 projects, ranging from Aragon Court to NFTX

A comprehensive list of which can be found here.

Summary

As mentioned in this article ElasticDAO Smart Contract and Security Audits | by (LS)Dan Matthews | ElasticDAO | Mar, 2021 | Medium

The security of the funds in ElasticDAO will always be its top priority.

After ElasticDAO’s successful launch to mainnet, which saw participants using 2069 ETH to mint over 30,000 EGT along with the SushiSwap pool having a trading volume of over $6m on the first day.

Members of the team were contacted by samczsun, alerting us to the fact that there was a possibility of draining the ElasticDAO of its funds.

Credit to our own ElasticDAO member @ycklsr for bringing it to his attention,

1c08eed9-2324-40eb-a88c-388b145c98061080×757 44.5 KB

Here is the gist written by him explaining the bug: gist:4fe1c099f956fac991a25be78cfa73a9 · GitHub

Essentially, the bug was an infinite minting bug.

The possible bad actor could repeat the process of transferring to himself the maximum amount EGT possible, and in the same transaction, sell that EGT for the underlying ETH, draining all the underlying ETH in ElasticDAO’s SushiSwap pool.

Solution

The fix was a simple guard added to the transfer function that neither the team nor the wardens had anticipated necessary.

The fix in the _transfer function of ElasticGovernanceToken.sol :

require(_from != _to, 'ElasticDAO: Can not transfer to self');

Proposal

This guard thus prevented ElasticDAO loosing all of its 2069 ETH and all the liquidity in the SushiSwap pool, this is becase the _transfer function on ElasticGovernanceToken.sol in tandem with infinite minting bug could have been used to drain all the funds.

We are requesting that 10% of the Sushiswap pool balance (valued at the moment the bug was found), which amounted to 90,000 USDC be paid to samczsun.

Note - The multisig will mint and redeem an equivalent value of EGT via the exit function for the underlying ETH value and burn the tokens. No tokens will be sold into SushiSwap.

Upon approval of #ELIP 2 ElasticDAO would have rewarded samczsun for finding an extremely obfuscated bug, occurance of which could have been catastrophic for this nascent experiment in fair governance that is ElasticDAO

The team would like to thank the community for their continued support and participation in ElasticDAO.

This is the first bug bounty decision I’ve participated in, so curious on how the 10% value was determined. Is that a typical rate that is used for compensation? If not, how did you arrive at this?

edit: in support of compensating for sure, just looking to understand better as seems somewhat arbitrary without the added detail on how derived.

edit2: details from LSDan below are super clear on the rationale behind this value. full support.

god bless samczsun

he deserves even more imo but ill vote for the 10%

shouts out to yannick for tapping him for the help

90k is a drop in the bucket compared to the damage this exploit could have caused. Pay the man!

I think it is definitely a fair compensation, since the damage could have been far off worse.

But this minting bug seems like was found after Code 423n4 audit and review, and such critical vulnerability overlooked by them, simply makes their audit incredible, and honestly feels like they were overpaid for their work, compensate samczsun and audit the minting oven code with someone more credible, and refer to samczsun for help to ensure this bug does not happen again.

10% of monies saved is a number that is often used with recovered funds, and is floated by many in the security industry as a number that makes white hatting lucrative enough to keep talented researchers from crossing into grey hat land.

In this case the number was discussed with sam himself and I agree that it makes sense given the scope of the issue had it been exploited.

Screenshot_20210326-230755_Discord1080×203 57.2 KB

Screenshot_20210326-230812_Discord1080×317 92.1 KB

I support this proposal as much as the last one, but be prepared for the angry chorus again about how ‘this isn’t a charity! my moneyyyy! reeeeee!’

All I’m suggesting is that the next proposal maybe include something about earning more funds rather than donating them

Businesses spend money. That part always happens before they make money. Also, making money does not really require a proposal.

The interesting thing about a DAO that is this transparent is you all now get to see how the sausage is made instead of funding a “valueless governance token” and having the team spend whatever they want without that expense going to a vote.

The next ELIP will involve team salaries and be released tomorrow.

I get it and I am 100% on board. Frankly, if a black hat had caught the error before samczsun did, then EGT would be worthless and there would be no money left to complain about.

Still doesn’t mean you won’t hear about it from short-sighted folks though.

I think 90.000 USDC is a very fair amount … for us!

If I’m not mistaken the vulnerability could have also been used to clear all funds from the DAO, not only from Sushiswap. So it’s more a 2% bounty actually. Either way, I’ll vote in favor of the proposal.

that’s correct… sam is a legend, it’s part of doing business in crypto. If you want continued white hat support for your projects you should treat them in kind when they do you a solid… def has my vote.

If 10% is the going rate for bounty, then I think that is fair. We are all very lucky it was caught.

sounds great. thanks for providing the details and background

Samczsun is an absolute gift for DeFi as a whole. I think this is a fair reward and I’ll be supporting it.

Yep, absolute yes! Done us all a huge favour!!

Supporting that ELIP for sure. Samczsun is a blessing for Defi.

Favorable. In samczsun’s words:

Bug bounties are nice. I’ve come to accept that they’re not a guarantee, and even if they have one it’s not going to be as dazzling as 0x.

Because of that I think sometimes I might adjust how much time I spend looking at something. Just, knowing that there might not be (from a purely monetary point of view) a great return on this time investment.

(…)

I think in general, you should look at what other projects are offering and scale your bounty proportionally to theirs, according to how much is at risk.

That’s where I think 0x did a really good job. They recognized that with the amount of money at risk, they wanted to offer a suitably high compensation in exchange so that you’re incentivized not to go “do the bad thing” instead.

If you offer only $1,000 - $5,000 for a bug that nets $1,000,000 - $5,000,000, some people might decide it’s worth exploiting that bug themselves or even selling it to someone for more than the bounty.

I don’t have much to add that hasn’t already been said: PAY THE MAN/WOMAN/ALIEN

No brainer. Will easily vote for and fully support this proposal.

Samczsun - Take. Our. Money! Well deserved.