I propose to award BTBlock a 30,000 SRM bug bounty award.
BTBlock is a security group that recently audited the Serum order book in partnership with Kudelski Security and found a high severity bug . No tokens were at risk for any markets, and the bug has since been patched here, where a check for the
close_authority on market vaults has been added. However, there was the potential for a malicious market lister to steal funds. Specifically, an attacker could
- List a market with
coin_vaulttoken accounts such that the
close_authorityis set on the token accounts to the attacker.
- Close the token accounts and reopen them with the delegate set.
- Steal all the tokens in the vault by using the delegate.
Again, all Serum markets have been verified to have not been affected and the patch introduced protects all future markets.