Last week I found a massive “loss of funds” bug in the agnostic orderbook (AOB) repo.
Bonfida and Armani confirmed that the exploit was legit and have since been in touch with developers that may be using the AOB in production.
If Serum V4 had gone live with this version of the AOB code it could have led to the loss of all the funds in the quote currency vault (half of the TVL), not to mention the effect it could have had on other protocols utilizing the AOB and contributing fees to Serum.
I propose that Serum DAO pay a $1m bug bounty.
Despite AOB not being used live yet there are two reasons I would argue for such a high bounty
- Finding this exploit revealed that the AOB has not been audited. Many people I talked to, including Armani and Jarry, thought that Neodyme had done an audit of the AOB. There was a good chance that the AOB could have gone live without a full audit if everyone had continued believing that one had already been done, placing the funds in Serum V4 at great risk.
- Serum needs to set a precedent that it will pay out large bounties for “loss of funds” bugs to encourage hackers to come forward with exploits rather than using them, as seen in the case of the $300m+ wormhole hack. Although the code has not yet gone live, Serum does not want to create the incentive for hackers to wait until the code goes live before reporting such dangerous bugs. Furthermore the impact of a high profile hack on Serum could have wider implications than just the money stolen, it could lead to a loss of trust in both Serum and the Solana ecosystem as a whole.
Any bounty lower than $1m risks the chance that hackers will not see Serum’s “loss of funds” bug bounties as sufficiently worthwhile to choose reporting over exploiting Serum, which has a current TVL of $800m.