@amphibiousParakeet all releases of HydraDX-node are being checked in diff before being tested, after that the same hash is being used for the upgrade proposal. It is extremely unlikely that any runtime code could be pushed and go by unnoticed. Hence, the reported vulnerability did not make it into the Blockchain / DLT category.
Assuming that frontends could be exploited and that this could lead to loss of funds, we accepted it as Critical in the category Websites and applications. Keep in mind that such an exploit would be detected and mitigated very quickly, and the $5k payout corresponds to a potential $50k loss of funds (10% of economic damage).
Our Immunefi bug bounty covers only direct damages. A quote: "Indirect damages such as reputational damage are out of scope. "
The decision of the security committee and Council is final and we would like to close this topic here. Of course, we cannot stop you from donating to the whitehat a higher payout, should you choose to do so.
@cl0w I can't help but feel like we lowballed them on this. If you have time, could you explain what protections we have that would have minimized the impact. I get that we are a business, and it's in stakeholders interests to pay as little for things as possible, but unless I am mistaken, this was more than minimum critical and more than just web and app.
From my reading on these attacks, with admin control of github, they could have uploaded new collator binaries and gained control of collator systems, stealing any keys and censoring transactions. They could have launched a governance attack, and censored all votes against, which ultimately would have failed, but would have caused way more than $5k worth of damage to our reputation.
Even just deleting our repository and leaving a cheeky "All Your Base..." note would have caused a lot of damage to our reputation.
And since this was classified in the web and app section, I am guessing they could have potentially injected code into the web app? If so, this would have been game over for us, as transactions are getting redirected to attackers accounts and wallets are being drained. Although the smart play would probably have been to wait for TC/Council to interact with the web app.
When we do runtime upgrades, do we have a process in place that would have guarantee prevented lolmcshizz from updating the runtime to something with injected code?
In my view, omnipool's value proposition is strong. The main concern for me is risk of hack. I want to project an image that we reward whitehats generously.
Unless I am way off base in my understanding of the threat here, an attacker could have done significantly more than $5k worth of damage to my personal portfolios value. If Hydra isn't going to payout, I feel inclined to do so myself. Unless I have misunderstood.
Edited