[EP 5.23] [Executable] Governance Security Bounty

Summary

This proposal aims to compensate the blockful team for their work in identifying, analyzing, reporting and mitigating a severe vulnerability in ENS DAO’s governance structure.

Background

In March 2024, blockful uncovered a critical vulnerability that could have led to a ~$150M theft and protocol capture. Their subsequent work led to the implementation of the Security Council, significantly enhancing ENS DAO’s resilience against attacks.

Contribution Details

The team involved is a different squad than the one working on the scope of the ENS service provider. It was developed by 2 researchers, 1 smart contract engineer and 4 different auditors the team has worked with previously. Summing up to ~600 hours, the scope includes:

  • Comprehensive vulnerability assessment and risk analysis: Here is our detailed security report.

  • Data analysis of ENS governance metrics and study of past DAO attacker’s behaviors.

  • Design, development and deployment of the Security Council contract and multisig.

  • The Security Council was thought with several key features to balance security and decentralization.

  • Smart contract implementation and testing (GitHub)

  • Governance proposal drafting and support [1, 2, 3]

More details can be found on the links above for past proposals and the report.

Compensation Rationale

As a team that is totally bootstrapped and never received any investment, this support us to keep it sustainable with the resources invested towards this initiative. The requested amount represents fair compensation for:

  • The potential loss prevention of ~$150M, capture of the DAO and protocol. The attack is anything but theoretical and there are actually many groups of investors who specialize in “risk free value raiders”. They have exerted the attack on other DAOs before. Currently there are unknown whales buying ENS for +450 days and have ~2M ENS, showing how feasible the scenario is, more than the average quorum, in one wallet.

  • A critical code bug bounty in ENS is $250k USDC. Our work was much beyond identifying and disclosing.

  • Significantly lower cost compared to standard rates charged by other security service providers in the DAO space, which typically demand liquid compensation. An example is that Open Zeppelin (one of the most reputable players in security) charges $4M/year at Compound, which recently suffered this type of attack.

  • Months of dedicated work by the team involved (researchers, devs and auditors).

  • The long-term value added to ENS through enhanced security.

  • Our commitment to ENS’s long-term success and continued contribution, as evidenced by the 2-year vesting schedule.

Compensation Structure

  • Total amount: 100k USDC + 15k vested ENS tokens

  • Vesting period: 2 years

  • Vesting start date: April 8, 2024 (date of initial research disclosure)

  • Vesting schedule: Linear vesting

Benefits to ENS DAO

  • Sets a positive precedent that responsible vulnerability disclosure and correction are rewarded, encouraging future security contributions

  • Preserves DAO treasury liquidity by using part of the bounty in ENS tokens instead of USDC or ETH

  • Enhances governance security by increasing the number of engaged, security-focused token holders

Conclusion

By approving this compensation, ENS DAO acknowledges the critical importance of security research and proactive governance improvements. The vesting structure ensures ongoing commitment and aligns incentives for continued contribution to ENS’s security and stability.

3 Likes

Calldata security verification

The simulation and tests of EP 5.23 can be found here . Calldata matched the proposal description as expected. The proposal was simulated by proposing, passing, executing, and asserting the difference between states after the USDC and ENS transfer operations

This can be checked by cloning the repo and running:
forge test --match-path src/ens/proposals/ep-5-23/* -vvvv