Security Bounty for Recent Smart Contract Bugs

Recently, a security researcher got in touch with the developers of Kolibri and informed us of two possible exploits in the codebase.

  1. Savings Rate Exploit

    It was possible to trick the Savings Pool into taking all of the money from the stability fund. This would have greatly enriched the users of the saving pool. By providing ~4k KUSD to the Savings Pool and utilizing this trick it was possible to withdraw almost 500k to the attacker.

    The Kolibri stability fund currently custodies $533,000 kUSD.

  2. Infinite Minting Exploit

    A second exploit utilized a re-entrancy bug to mint kUSD without backing it by collateral. This would effectively allow an attacker to mint as much kUSD as they wanted. This bug was severe enough that we initiated a protocol wide pause and immediately remediated it.

In both cases, the researcher responsibly disclosed the bugs to us, and they worked with us through the mitigation and remediation process. This work seems deserving of a bug bounty, and we should decide what that is, as we have done in the past.

Note that the protocol has 41K kUSD in the developer fund, but we could also disburse some of the stability fund if needed (533k kUSD), since this could be qualified as a black swan event.

Poll: What bounty should we pay for these bugs?

  • 5,000 kUSD
  • 10,000 kUSD
  • 25,000 kUSD
  • 50,000 kUSD
  • 100,000 kUSD
  • Other (leave a comment)

0 voters

I think 20% of stable fund is ok for me. I mean 100k USD(533k * 20% = 106k). I think less than 100k is too small. We should encourage researcher to be white hacker.