Compound DAO vote to pay developer for major bugfix falls 15,000 votes short of quorum
Quick Take A vote by Compound DAO to reward a blockchain developer who reported and fixed a vulnerability that would’ve allowed a hacker to unprofitably steal funds failed, falling 15,000 votes short of a necessary 400,000 supporting vote quorum. Over 70% of votes cast were in favor of the proposal, which would have rewarded the developer with a payout of $125,000 for his work.
By all appearances, pseudonymous developer 'KP' did everything right after discovering a vulnerability with Compound COMP +0.98% 's v3 protocol, also known as Comet. The vulnerability would've allowed a hacker to directly steal user funds, though at a massively unprofitable cost — it would cost an attacker billions in gas fees to steal $1 million in funds, KP estimated.
After finding and validating the vulnerability, KP reported it to Compound and its security partner OpenZeppelin, along with a code repository containing a proof-of-concept simulation of the attack. The bug was promptly patched, and so KP made a "humble" request to Compound DAO: a reward of $125,000, a little over 80% of the $150,000 maximum Compound DAO rewards for bug bounties, a figure prominently displayed on the protocol's website .
In his proposal, KP explained that a bug bounty would help in "greatly motivating security researchers and developers in identifying and disclosing Compound bugs and vulnerabilities in the future." KP added that he's developing a startup on the Comet protocol, and that the reward would "greatly prolong our runway and enable us to see through our efforts of providing value and becoming a mainstay of the ecosystem."
KP's proposal brought with it endorsements from Kevin Cheng, head of protocol at Compound Labs, and Michael Lewellen, head of solutions architecture at OpenZeppelin, who praised KP's professionalism in fixing the bug during the DAO's discussion of the proposal .
However, despite more than two-thirds support among delegates for the reward, the vote failed , falling just 15,000 votes of a necessary 400,000 vote quorum to pass. The vote appeared far from passing for most of the voting period, though a last-minute vote by VC Andreesen-Horowitz brought 256,000 votes in favor. Unfortunately for KP, it wasn't enough to reach quorum.
Compound's guidelines for the bug bounty program state that the protocol intends to "pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery," though clarifies that such rewards are decided "at Compound’s sole discretion."
KP's cause was also supported by Wintermute, though crypto VC firm Polychain failed to register any vote — even a vote abstaining — despite being the largest holder of COMP tokens, according to Tally.xyz. None of the parties involved could be immediately reached when asked for comment by The Block.
KP has since resubmitted the proposal, asking for a reward of $100,000 instead.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
BTC breaks through $95,500
BTC breaks through $95,000
Musk: xAI is about to launch an AI game studio
The dollar index fell to 106, the lowest level since November 13