Type of the Contribution: Responsible Disclosure of a vulnerability in Math Beneficiary address: 7P8MoDh9x8hMNmoytYYbHBJLmLNZUP4AgGuDCEKNLJ5jJavo Requested amount: 403,225 HDX ($5,000 at $0.0124 - 7d EMA on Kraken)
On December 18th, the Galactic Council team received via responsible disclosure a report about a potential vulnerability in Math. The immediate investigation showed that in a very isolated edge case, the calculation of an exponent could return a wrong result. This only concerns the LBP implementation. The team reached the conclusion that the vulnerability is practically non-exploitable - there are no running LBPs, but even if there were, the nature of the edge case would make it extremely unlikely that it could be exploited. A fix has been prepared and will be deployed with the next Runtime upgrade (https://github.com/galacticcouncil/HydraDX-node/pull/720)
Although the report does not qualify as critical, the HydraDX Council should promote the reporting of any suspected vulnerabilities via the supported channels: Immunefi or directly via email to firstname.lastname@example.org
For this reason, I propose to tip the reporter.
A team called Galactic Council received a report about a potential problem with Math.
They found out that it was unlikely that the problem could be used by someone else.
The team fixed the problem and will put it in the next upgrade.
Even though the problem was not very serious, the team wants people to report any problems they find.
The person who reported the problem might get a reward.