Bug bounty for "loss of funds" bug in AOB

Last week I found a massive “loss of funds” bug in the agnostic orderbook (AOB) repo.

Bonfida and Armani confirmed that the exploit was legit and have since been in touch with developers that may be using the AOB in production.

If Serum V4 had gone live with this version of the AOB code it could have led to the loss of all the funds in the quote currency vault (half of the TVL), not to mention the effect it could have had on other protocols utilizing the AOB and contributing fees to Serum.

I propose that Serum DAO pay a $1m bug bounty.

Despite AOB not being used live yet there are two reasons I would argue for such a high bounty

  • Finding this exploit revealed that the AOB has not been audited. Many people I talked to, including Armani and Jarry, thought that Neodyme had done an audit of the AOB. There was a good chance that the AOB could have gone live without a full audit if everyone had continued believing that one had already been done, placing the funds in Serum V4 at great risk.
  • Serum needs to set a precedent that it will pay out large bounties for “loss of funds” bugs to encourage hackers to come forward with exploits rather than using them, as seen in the case of the $300m+ wormhole hack. Although the code has not yet gone live, Serum does not want to create the incentive for hackers to wait until the code goes live before reporting such dangerous bugs. Furthermore the impact of a high profile hack on Serum could have wider implications than just the money stolen, it could lead to a loss of trust in both Serum and the Solana ecosystem as a whole.

Any bounty lower than $1m risks the chance that hackers will not see Serum’s “loss of funds” bug bounties as sufficiently worthwhile to choose reporting over exploiting Serum, which has a current TVL of $800m.

4 Likes

For those interested the exploit was:

  • Place an order to sell 1 base token on the ask queue with an arbitrarily high price (e.g. $100,000,000 vs. the current trading price of $1)
  • Place a bunch of lower priced sell orders on ask queue
  • This would force the attacker’s order off the orderbook and output an Event::Out on the event queue
  • The event is then incorrectly processed by serum v4 as a bid order instead of an ask, which is effectively the same thing as if the order had been filled at the much higher price.
  • This would allow the attacker to drain the quote currency vault with incorrectly filled orders
    Bonfida and Armani confirmed this exploit as valid.
4 Likes

Great work! I’d agree, reporting this sort of vulnerability ought to be well-rewarded (and well-publicized). As someone building a protocol which would be heavily affected by “loss of funds”-type exploits on Serum, I’m all for creating a standing bug bounty offer like the one you described.

Again, thank you for finding/reporting and great work!