BGD. Proposal for Bounty. Fallback oracle misconfiguration

Reading time saved: 5 minutes

8 replies, 2657 views, 20 likes


The Hacxyk team discovered a severe but unlikely security issue in Aave v3's fallback oracle, potentially putting ~$46m at risk, and a $50,000 bounty was proposed for their discovery. The community debated the bounty amount, highlighting the importance of rewarding responsible bug reporting, and a Snapshot proposal was created for community approval.

The discussion revolved around a security disclosure by the Hacxyk team involving a misconfiguration of the fallback oracle on the Aave v3 markets. Bgdlabs proposed a $50,000 bounty for the Hacxyk team for their discovery. The issue was that the fallback oracle, which is used when the main price feed (Chainlink) returns 0, was a mock smart contract without access control on the function used to set new prices. This could potentially allow anyone to set an arbitrary value and force undesired behavior price-wise on the affected assets. Hacxyk classified this misconfiguration as likely and severe, pointing out that ~$3B of assets were at risk. However, Bgdlabs disagreed with the impact evaluation, classifying it as severe but unlikely, and noted that the total value locked (TVL) of Aave v3 at the time of disclosure was ~$46m, not $3B as Hacxyk claimed 1,2.

The community had mixed reactions to the proposed bounty. Fig suggested rewarding well-intended behavior and promoting a culture of responsibly reporting bugs, while SamUchiha proposed a minimum bounty of 500K, comparing it to the protected amount and reputation of Aave. They also suggested three financing options and additional perks for the Hacxyk team. On the other hand, Tor_GAINS believed that 500K was too much for a reward if 50K is considered decent. Bgdlabs confirmed that the issue was immediately fixed and suggested USDC as the underlying token for the bounty. They also announced the creation of the Snapshot proposal for community approval and invited participation in the voting 3,4,5,6,7,8,9.

In conclusion, the community generally agreed on the importance of rewarding entities that responsibly report bugs, with the exact amount of the bounty being a point of contention. The issue was promptly addressed, and a Snapshot proposal was created for community approval. The discussion also highlighted the importance of decentralized security reviews and the need for a more formal definition of a bug bounty program.

Posted a year ago

Last reply a year ago

Summary updated 2 months ago

Last updated 06/12 00:43