Authors

ChopChop, Alex Gausman, Finesseboi

Glossary

DAO Bug bounty ERC721 ERC20

Summary

This proposal is intended to pay out a bug bounty of $50.000 to samczsun who has discovered a bug of critical severity on the vault creation contract of NFTX. The vulnerability was disclosed in private to Alex Gausman and was swiftly dealt with top priority, resulting in a contract upgrade.

Rationale

A potential exploit was found by samczsun which caused the DAO to pause the creation of new vaults (Index funds) until a patch was available.

From Alex Gausman: “The NFTX contract works by creating an ERC20 token and linking it with the address of an ERC721 such that the only way to mint the ERC20 is to deposit the ERC721.

However, the NFTX contract does not actually create the ERC20 token itself, that is a separate operation which happens right before. What samczsun realized is that it would be possible to create a new fund using an already existing ERC20 fund token.

For example, someone could make a new “fund” with the existing GLYPH token and an arbitrary NFT contract (like GodsUnchained). After the new fund is created, that GLYPH token would then be connected to two different NFTs at once (both Autoglyphs and GodsUnchained), which would allow the attacker to mint GLYPH by depositing GodsUnchained cards (that are less scarce and less expensive). Then the attacker could use their new GLYPH tokens to redeem the more expensive autoglyph NFTs.”

For discovering and pointing it out to us this critical potential exploit we propose to pay a grant of $50,000 dollars (paid in ETH), in line with industry standard (i.e. https://uniswap.org/bug-bounty)

This potential exploit has been overlooked by the original auditor, as well as Alex. For future contract upgrades, it will be critical for the DAO to keep attention on security reviews as possible to make sure user funds remain unaffected.

Effect

Opportunity

• Reward samczsun for disclosing the potential exploit, showing that NFTX as an organization highly values efforts put into reviewing code and reporting potential mishaps.
• Set future precedence for others to disclose such information in the same fashion.

Risk

• Moving forward, we must work on creating an NFTX bug bounty program so that the process is transparent about what is to be expected when reporting bugs/exploits. People shouldn’t be under the impression that contract upgrades, exploit disclosures and other similar activities are always dealt with on a case-by-case basis.

Specifications

If this proposal passes, samczsun will be paid $50.000 (fifty-thousand dollars) from the treasury, paid in ETH, to a wallet address of choice.

To acquire this amount, $50.000 worth of ETH will be taken from the treasury which can be tracked on Aragon.

Funding request - Yes - Implementation Requires Funding

• $50.000 worth of ETH.

Communication

• Discord: https://discord.gg/xcJkxMXSR8
• Forum: https://forum.nftx.org/t/retroactive-bug-bounty/161/4

Quorum

• Minimum Quorum: More than 10% of circulating, non-treasury NFTX must participate for a proposal to Pass.
• Passing Threshold: More than 50% of voting tokens must vote FOR for the XIP to Pass. For changes to the NFTX contract, more than 70% of voting tokens must vote FOR for the XIP to pass.