Developer KP, who discovered a security flaw in the v3 protocol of Compound, took significant steps regarding the issue. According to KP’s estimate, this security flaw would allow a hacker to directly steal user funds, and this step would occur at a very high cost. According to the famous name, a hacker stealing $1 million in funds would be realized with billions of dollars in commission fees.
Request of $125,000 for Security Flaw
After finding and confirming the security flaw, KP reported this to the Compound team and their security partner OpenZeppelin, along with a code pool containing a simulation of the attack. The error was immediately corrected by the team, and thus KP was able to make a modest request from Compound DAO. The developer claimed a reward of $125,000. Compound DAO gives a maximum of $150,000 as a reward for bug bounties to developers.
In his offer, KP stated that a bug bounty will greatly motivate security researchers and developers to identify and disclose compound bugs and security vulnerabilities in the future. KP added that he developed an initiative on the Comet protocol and the reward would greatly extend our runway and allow us to see our efforts to provide value and become the bedrock of the ecosystem.
KP’s proposal brought along the supports of Compound Labs protocol president Kevin Cheng and OpenZeppelin solution architecture president Michael Lewellen, and these names praised KP’s professionalism in correcting the error during the DAO’s discussion of the proposal.
DAO Rejected the Proposal
Despite more than two-thirds support for the award among the delegates on the issue, the vote failed and fell only 15,000 votes from the required 400,000 votes for approval. Vice President Andreesen-Horowitz’s last-minute vote brought 256,000 votes in favor. However, this vote was not enough for KP to reach the required number.
Compound’s guidelines for the bug bounty program aim to pay generous rewards for appropriate discoveries based on the seriousness and exploitability of the protocol’s discovery, but it explains that such rewards are decided entirely at Compound’s discretion. KP took a different step on this issue by making another proposal and asked for a reward of $100,000 instead of $125,000.
