I am recommending that the @Ecosystem_Stewards approve a payout of $100,000 for a critical vulnerability found in an undeployed version of the DNSSEC registrar code.
To be clear - this is a bug that was discovered before the code was deployed to the chain or made active; no user is directly affected by it. The bug is in our release candidate that was due to be put forward for a vote shortly.
If it had been deployed as-is, it would have allowed anyone to claim or update a DNSSEC name owned by any other user. A full description of the bug is here; tl;dr: a critical check was deleted in a refactor and not restored.
As a result of this, ENS Labs is making the following changes:
We will formalise our smart contract release process to specify that all deployments are preceded by a release candidate, published at least 2 weeks before deployment to the chain and announced in this forum. Release candidates will be eligible for the full bug bounty amount. If an audit is to be conducted, it will be done prior to tagging the code as an RC.
We will engage code4rena for an audit on the DNSSEC code prior to deployment, at ENS Labs’ expense. I’ve already begun engaging with them on this.
This is the largest bounty ENS has yet paid out for a vulnerability. We’re grateful to the submitters for finding this bug before it could impact anyone.
Two weeks is not enough for a mission critical audit. At the minimum it should be 6 weeks, but better 12.
It is honorable to stand by bug bounty payments. Many of the top companies don’t pay, even for zero days, unless you are very well connected, and still, that sometimes is not enough now if you are from a country like Russia or Syria.
Still, that said, given this bug bounty affects your bags, could you please consider removing the inflammatory pin to your twitter? Seriously, if I find a bug, I’m probably not submitting it just for this post existing as I would love to turn the tables on you. It’s not about money for me. If the tables are turned, I would rather you see the err in your judgment, than for everyone else to remain protected.
I think I’m not alone as a dev jaded by the arrogance of others in the space. It’s more satisfying to sell vulnerabilities or exploit them yourself than to notify through appropriate channels. The attitude of ‘f-off into the sun’ is all too common. Careful what you wish for!
This is not civil or respectful language, and it’s mostly off-topic anyway. Constructive criticism is welcome, like suggesting a longer audit period with your reasoning. But please leave personal attacks or inflammatory language out of it on these forums. Please, and thank you
The ENS DAO forums are separate from Twitter. People are free to speak their mind on other social media platforms, as the forum CoC does not apply there.
Alrighty. I hate to sound like a whiny complainer but I have some questions:
Was this DNSSEC code not part of the C4 audit? It is mentioned here:
It seems it was? Yet this bounty is being proposed for > the entire code4rena pot that was possible during that time?
While a bug I reported was awarded the would be c4 prize of “3k USD + 200 ENS tokens” so just a bit confusing on how these bounty payouts are determined based on what criteria?
…
Also on the general subject of bounties. I think ENS should consider updating its bounty rules to state that any bug resulting in loss of users funds or names (if it is something ENS it self could fix/control) should be considered as medium/high according to the price scale found here:
This includes web2 bugs such as persistent XSS that could potentially drain / transact on behalf of the user in a hidden way. On the main ENS site for example (not XSS based off ENS names on other sites such as Etherscan - which I also reported recently).
Also bugs similar to my previous bug reports which involved cloning names that could have been dumped / sold prior to being reported impacting those users/funds. Some of us are still waiting on the document that lists all of those names to see if any were sold prior to reporting btw. It was never made public I think?
You are the one being biased and derailing the conversation. I have been paid a bug bounty from Nick personally in the past (actually I didn’t accept, but it was offered). If you think I dislike Nick, you are wrong. I commended the leadership of treating bug bounties seriously.
It’s not off topic to bring his twitter in here. This is where the news of this action was disseminated. He uses his twitter for official business of the ENS DAO, thus it is more than just a personal twitter.
There is no personal attack, rather a stern suggestion that he is alienating people who trusted him with the role of leading this project, and the very people who can discover bugs in an audit. Would I report it again to him if I found a bug? At this point, I would not based upon his discourse on twitter. That is extremely relevant here.
Who cares. Its now obvious that you are here on your emotions volition rather than for the better of the project. I’ll be hard pressed to take you seriously from here in out @Ronald
No seriously, it needs to be said.
If you have a personal issue with someones tweet. Take it to twitter.
The direction of this thread you are attempting to steer isn’t supporting anything for the embodiment.This affects no personal bags. The only bag at the counter is the ENS DAO Treasury and it’s weight does not have anything to do with your personal sentiment.
Yes, though the contract has had changes since then.
It’s entirely normal to pay less for an audit than a bug bounty, because the bug bounty is intended to catch issues that would otherwise be exploited on mainnet.
Work on an updated version of the Bug Bounty document has actually already started and can be found here: