It appears that the pseudonymous developer ‘KP’ immediately took action after discovering a flaw in the v3 protocol of Compound COMP +0.77%, also known as Comet.
KP estimated that the vulnerability would have enabled a hacker to take user funds directly. Still, at an astronomically unprofitable expense, an attacker must pay billions in gas fees to steal $1 million.
KP informed Compound and its security collaborator, OpenZeppelin, of the vulnerability, along with a code repository that includes a proof-of-concept simulation of the assault after its discovery and validation.
After the bug was expeditiously fixed, KP approached Compound DAO with a “humbly” requested reward of $125,000. This amount is slightly above 80% of the maximum reward of $150,000 that Compound DAO offers for bug bounties, a figure conspicuously showcased on the protocol’s website.
KP elucidated in his proposition how implementing a bug bounty could “substantially inspire security researchers and developers to disclose Compound flaws and vulnerabilities in the future.”
Further, KP stated that he is in the process of establishing a Comet protocol-based startup and that the reward would “substantially extend our runway and empower us to complete our endeavors to deliver value and establish ourselves as an ecosystem mainstay.”
During the DAO’s deliberation of the proposal, Kevin Cheng, head of protocol at Compound Labs, and Michael Lewellen, director of solutions architecture at OpenZeppelin, endorsed KP’s proposal and commended KP’s professionalism in fixing the problem.
Notwithstanding the endorsement of the incentive by delegates amounting to over two-thirds, the vote was unsuccessful, with a mere 15,000 votes falling short of the requisite quorum of 400,000 votes.
Throughout most of the voting period, the proposition seemed improbable to succeed; however, VC Andreesen-Horowitz’s last-minute amendment garnered 256,000 votes in its favor.
Sadly for KP, that was insufficient to achieve a quorum.
The guidelines for the bug bounty program established by Compound indicate that the protocol aims to “provide substantial rewards for eligible discoveries following the discovery’s severity and exploitability.”
However, it is explicitly stated that the determination of such rewards “rests solely with Compound.”
Wintermute additionally endorsed KP’s cause. However, according to Tally.xyz, crypto venture capital firm Polychain, which held the most COMP tokens, did not record any vote, not even an abstention.
Since then, KP has resubmitted the proposal with an increased reward request of $100,000.