By all appearances, pseudonymous developer 'KP' did everything right after discovering a vulnerability with Compound COMP +3.84% 's v3 protocol, also known as Comet. The vulnerability would've allowed a hacker to directly steal user funds, though at a massively unprofitable cost — it would cost an attacker billions in gas fees to steal $1 million in funds, KP estimated.
After finding and validating the vulnerability, KP reported it to Compound and its security partner OpenZeppelin, along with a code repository containing a proof-of-concept simulation of the attack. The bug was promptly patched, and so KP made a "humble" request to Compound DAO: a reward of $125,000, a little over 80% of the $150,000 maximum Compound DAO rewards for bug bounties, a figure prominently displayed on the protocol's website.
In his proposal, KP explained that a bug bounty would help in "greatly motivating security researchers and developers in identifying and disclosing Compound bugs and vulnerabilities in the future." KP added that he's developing a startup on the Comet protocol, and that the reward would "greatly prolong our runway and enable us to see through our efforts of providing value and becoming a mainstay of the ecosystem."
KP's proposal brought with it endorsements from Kevin Cheng, head of protocol at Compound Labs, and Michael Lewellen, head of solutions architecture at OpenZeppelin, who praised KP's professionalism in fixing the bug during the DAO's discussion of the proposal.
However, despite more than two-thirds support among delegates for the reward, the vote failed, falling just 15,000 votes of a necessary 400,000 vote quorum to pass. The vote appeared far from passing for most of the voting period, though a last-minute vote by VC Andreesen-Horowitz brought 256,000 votes in favor. Unfortunately for KP, it wasn't enough to reach quorum.
Compound's guidelines for the bug bounty program state that the protocol intends to "pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery," though clarifies that such rewards are decided "at Compound’s sole discretion."
KP's cause was also supported by Wintermute, though crypto VC firm Polychain failed to register any vote — even a vote abstaining — despite being the largest holder of COMP tokens, according to Tally.xyz. None of the parties involved could be immediately reached when asked for comment by The Block.
KP has since resubmitted the proposal, asking for a reward of $100,000 instead.
Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.
© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.