SIP-16: BlockSec Whitehack Bounty + Blackhat Bounty Agreement

Summary

Pay BlockSec a ~10% bounty for their whitehack efforts and recovery of funds during the exploit on Apr-30th.

Given that most of the maliciously hacked funds have now been flagged, and cannot be cashed out, Saddle is offering 10% of the funds as a bounty in exchange for their swift return. If the blackhats choose to cooperate-- they will send 100% of the funds to Saddle’s multi-sig, of which 10% will be sent back as a clean bounty. If the funds are successfully returned, Saddle will be bound by governance to pay the 10% bounty to the blackhats.

Abstract

This SIP seeks to compensate BlockSec with a bounty as an acknowledgment of their whitehack efforts in the Metapool exploit on Apr-30th. The exact nature of their involvement is detailed here.

This SIP also seeks to negotiate with the blackhats.

Background

On Apr-30th, 2022, a bug was discovered in Saddle’s Metapool contracts by a blackhat hacker that resulted in $10.2m being drained from one of the pools. Thanks to quick acting by the BlockSec team, $3.97m worth of vulnerable funds were whitehacked and secured.

Specification

Pay BlockSec a 1,323,340 SDL bounty from the treasury. This amount is intended to be roughly equal to 10% of the amount BlockSec secured from the vulnerable pool– with SDL as priced by the community in SIP-13. Recovered funds will be distributed to affected LP’s pro-rata.

Agree to pay a 10% bounty to the blackhats upon returning the stolen funds, as per the conditions laid out in the summary of this SIP.

For: Pay BlockSec a 1,323,340 SDL bounty from the protocol treasury and distribute the recovered funds to affected LP’s pro-rata. Agree to blackhat negotiation terms laid out in the summary of this SIP.

Against: No change.