AIP 89: Compensation and bounty for exploited contract vulnerability

[sephrok]

AIP 89: Compensation and bounty plan for exploited staking contract

Summary

In April of 2021 a contract was deployed for staking and a bug was identified that allowed an exploiter to stake other wallet's AST. Any funds staked to that contract were reported as safe and still included in snapshots and able to vote. It wasn't until August 6th, 2023 that it was discovered that this exploit also allowed the exploiter to not only stake another wallet's AST but immediately unstake it to their own wallet. To stop the exploiter from any more harm a post was made in Discord that the 19 wallets on the old staking contract needed to revoke permissions from this contract ASAP. Unfortunately some AST was already stolen from at least one wallet before identifying a solution to revoke permissions to the contract.

Bugged Contract deployed in April of 2021:
0x704c5818b574358dfb5225563852639151a943ec

This staking contract was found to be vulnerable to an exploit
To date, 143K AST has been exploited through the contract
Request 143K AST from the Treasury to restore affected wallets
Offer a whitehat bounty reward equal to 10% of the amount to the attacker on full return of the funds to the treasury.

Specification

Timeline of events

01 Apr 2021: Affected staking contract (0x704) was deployed
02 Apr 2021: 0x704 was deprecated due to a bug, new staking contract deployed. By then, 645K AST had already been staked into 0x704. The bugged contract was not known to be exploitable at this time
23 July 2023: Exploiter address 1 (0xAd57) steals 133K AST from exploited address (0x6d2)
06 Aug 2023: Exploiter address 2 (0x57A) steals 9.7K AST from 0x6d2. Investigation reveals vulnerability through AST approvals to 0x704. Warning immediately sent to DAO members to revoke permissions to 0x704.

Request for AST

Requesting 143,551.0604 AST from the Treasury to compensate user(s) affected by the vulnerable DAO contract

• 143,551.0604 AST reimbursed to 0x6d2Bc535438102C186BaEBE68a9a8444ef0a1034 for recognizing the exploit.
• The DAO will not be responsible for further losses through this contract
• 14.3K AST is requested as a "white hat" bounty for safe return of these funds from the attacker to the treasury.

Rationale

The contract was deemed safe and there were no announcements or need to move off the contract until the full exploit was discovered on August 6th, 2023 because of an investigation done by @dmosites & @agriimony on the effected wallet(s) listed above.

Vulnerability in contract was not previously noticed for more than 2 years
Unfortunately, some funds were stolen before the solution was identified
DAO treasury to be used first to compensate affected user(s)
Stolen funds to be recouped by the DAO treasury by offering bounty to attacker, otherwise law enforcement action will be taken

Vulnerable addresses

10 wallets still vulnerable to the exploit
These addresses are advised to revoke any permissions to 0x704 immediately
Any AST which enters these wallets (e.g., unstaked from their current positions) are at risk of being stolen. The DAO will not be responsible for any further losses.
DAO members are also reminded that it is good practice to revoke permissions to older contracts when no longer required.

Address
Current AST at risk
0x54a33c7d2ad57802330848d2e108013a76beeafc
129,955
0x4ad649d4ae6a3eade9ed4a9b7f2ce604ac45226b
38,108
0x1c92efdb6c924cb2acf7dceec29b7abb69ab58bc
5,000
0xd2ddb0e1c223a873c77ee80497e9d82c1002e483
1,004
0xcde77ac6dd66e935a08f83818e3aeac4df923407
662
0x3058b47fe95934e60b1f9bd7a3068de9ec049016
0
0x90ab40b0907499af174842aee0dc06bedd4f276d
0
0xbe122d120cb41fe12e227753d71287c3938e57cb
0
0x82961424d5cf32c311bbed183d5c4e47d0b54c6f
0
0x1a1e852f970a231d32271c88162e222a09c1650a
0

COPYRIGHT

Copyright and related rights waived via CC0.

[sephrok]

Appreciate any comments, suggestions or ideas for recovery, finding the exploiter, etc.

[gpxl-dev]

Hi @sephrok,

First of all, sorry to hear that this happened and that you were affected.

As mentioned in discord, I think it makes sense to offer a small percentage to be treated as a whitehat bug bounty to the exploiter in exchange for the full amount being returned. This could perhaps be covered by the protocol/treasury.

A deadline by which funds should be returned, and details of where to (and how -- I know they sold the AST). The attacker should strongly consider this because from a cursory glance it's possible to link their account to at least two exchanges that are cooperative in these scenarios - FixedFloat and Newton. It appears that the latter, a Canadian exchange requires KYC, so I do think it will be quite possible to find this person.

Even if these avenues end up being fruitless, the exploiter does not appear to have covered their tracks very well, and I am quite confident that they could be traced fairly easily.

[sephrok]

NOTE @agriimony started a new draft here:
https://docs.google.com/document/d/1kW76vkGNgfdVl8y3jv6BrYAduZCfLyaNx7-6AquiAbo/edit?usp=sharing

I will update this one as it gets finalized-- unless i can add @agriimony as a co-author?

[agriimony]

hm the last i tried, only the OP can edit, so go ahead and update it once we are done with the draft :)

[sephrok]

Updated the AIP as rewritten by @agriimony

Previous version available by clicking the edits history.