Type of the Contribution: Responsible Disclosure of a vulnerability in Math
Beneficiary address: 7P8MoDh9x8hMNmoytYYbHBJLmLNZUP4AgGuDCEKNLJ5jJavo
Requested amount: 403,225 HDX ($5,000 at $0.0124 - 7d EMA on Kraken)
On December 18th, the Galactic Council team received via responsible disclosure a report about a potential vulnerability in Math.
The immediate investigation showed that in a very isolated edge case, the calculation of an exponent could return a wrong result. This only concerns the LBP implementation.
The team reached the conclusion that the vulnerability is practically non-exploitable - there are no running LBPs, but even if there were, the nature of the edge case would make it extremely unlikely that it could be exploited.
A fix has been prepared and will be deployed with the next Runtime upgrade (https://github.com/galacticcouncil/HydraDX-node/pull/720)
Although the report does not qualify as critical, the HydraDX Council should promote the reporting of any suspected vulnerabilities via the supported channels: Immunefi or directly via email to security@hydradx.io
For this reason, I propose to tip the reporter.
I agree that any activity that helps discover and fix a possible bug or wrong maths should be rewarded
in my case I will vote in favor of the tip with the recommended amount