BTBlock Bug Bounty Award

I propose to award BTBlock a 30,000 SRM bug bounty award.

BTBlock is a security group that recently audited the Serum order book in partnership with Kudelski Security and found a high severity bug . No tokens were at risk for any markets, and the bug has since been patched here, where a check for the close_authority on market vaults has been added. However, there was the potential for a malicious market lister to steal funds. Specifically, an attacker could

  • List a market with pc_vault and coin_vault token accounts such that the close_authority is set on the token accounts to the attacker.
  • Close the token accounts and reopen them with the delegate set.
  • Steal all the tokens in the vault by using the delegate.

Again, all Serum markets have been verified to have not been affected and the patch introduced protects all future markets.

1 Like

We’re in support of this. Reasonable proposal, and certainly a good cause.

2 Likes

Support 100%, these kind of things should be rewarded

1 Like