This proposal aims to compensate the blockful team for their work in identifying, analyzing, reporting and mitigating a severe vulnerability in ENS DAO’s governance structure.
Background
In March 2024, blockful uncovered a critical vulnerability that could have led to a ~$150M theft and protocol capture. Their subsequent work led to the implementation of the Security Council, significantly enhancing ENS DAO’s resilience against attacks.
Contribution Details
The team involved is a different squad than the one working on the scope of the ENS service provider. It was developed by 2 researchers, 1 smart contract engineer and 4 different auditors the team has worked with previously. Summing up to ~600 hours, the scope includes:
Comprehensive vulnerability assessment and risk analysis: Here is our detailed security report.
Data analysis of ENS governance metrics and study of past DAO attacker’s behaviors.
Design, development and deployment of the Security Council contract and multisig.
The Security Council was thought with several key features to balance security and decentralization.
Smart contract implementation and testing (GitHub)
Governance proposal drafting and support [1, 2, 3]
More details can be found on the links above for past proposals and the report.
Compensation Rationale
As a team that is totally bootstrapped and never received any investment, this support us to keep it sustainable with the resources invested towards this initiative. The requested amount represents fair compensation for:
The potential loss prevention of ~$150M, capture of the DAO and protocol. The attack is anything but theoretical and there are actually many groups of investors who specialize in “risk free value raiders”. They have exerted the attack on other DAOs before. Currently there are unknown whales buying ENS for +450 days and have ~2M ENS, showing how feasible the scenario is, more than the average quorum, in one wallet.
A critical code bug bounty in ENS is $250k USDC. Our work was much beyond identifying and disclosing.
Significantly lower cost compared to standard rates charged by other security service providers in the DAO space, which typically demand liquid compensation. An example is that Open Zeppelin (one of the most reputable players in security) charges $4M/year at Compound, which recently suffered this type of attack.
Months of dedicated work by the team involved (researchers, devs and auditors).
The long-term value added to ENS through enhanced security.
Our commitment to ENS’s long-term success and continued contribution, as evidenced by the 2-year vesting schedule.
Compensation Structure
Total amount: 100k USDC + 15k vested ENS tokens
Vesting period: 2 years
Vesting start date: April 8, 2024 (date of initial research disclosure)
Vesting schedule: Linear vesting
Benefits to ENS DAO
Sets a positive precedent that responsible vulnerability disclosure and correction are rewarded, encouraging future security contributions
Preserves DAO treasury liquidity by using part of the bounty in ENS tokens instead of USDC or ETH
Enhances governance security by increasing the number of engaged, security-focused token holders
Conclusion
By approving this compensation, ENS DAO acknowledges the critical importance of security research and proactive governance improvements. The vesting structure ensures ongoing commitment and aligns incentives for continued contribution to ENS’s security and stability.
Fully in support of this. Blockful identified a significant attack vector against the DAO, and not only alerted us to it but proactively worked to implement a solution. The compensation is well deserved, and the fact that they want a large portion of it in ENS tokens demonstrates their continued commitment to ENS and the ecosystem.
Given Blockful is a service provider, your proposal reminds me of an episode of Curb Your Enthusiasm where Larry lends someone $10,000, only to find out they’re hosting a lavish party soon after. When confronted, the guy insists, “That’s not the $10,000 you gave me, that’s a different $10,000.”
You mentioned improved transparency and security on governance in your stream application and included governance research in your service provider report, so it is unclear to me where you draw the line for service provider work and different work.
The scope included in the service provider nomination post includes only reviewing calldata for executable proposals, which contributes to transparency and security on what is being executed.
The service providers report explicitly mentions that the research related to the security council is out of the scope.
In the end, it comes down to the allocation of the team. The squad working on service provider scope is one (and all the scope that was delivered and will be is publicly available in this github projects board), the team involved in this research was a parallel work that involved the research team and others.
Rather than thinking about saving resources internally, we dedicated all necessary resources to addressing the attack vector.
I hope this clarifies. It’s a valid question. Thanks for addressing this concern, Limes!
It is decent work by Blockful and deserves fair reward.
However, the critical vulnerability is a basic 51% governance attack that doesn’t even need an introduction, and its potential impacts and possibilities were disclosed apriori 2 years ago by us on the forum. No action was taken at that time though since no single wallet exceeded the quorum at that time. 2 years later, someone has collected the tokens and made the possibility very real using a single wallet only. Enter Blockful and claim the discovery for itself. The solution is a simple veto which is hardly imaginative and hardly a permanent fix.
While Blockful should be rewarded for bringing to attention a growing threat, the amount that they are requesting is excessive, especially since they are a service provider already. Not to mention, they are carrying forward the work on a threat vector which was already disclosed; the only difference is that now a single wallet could capture the DAO instead of 2-3 wallets at the time of our disclosure.
We believe that NameSys should also be awarded a small amount of $10,000 in USDC and $10,000 USD equivalent in ENS tokens, alongside the reward to Blockful. Their work was far more extensive than ours and they should receive a major share. We however, were first to detail and disclose and determine the extent of governance risk to ENS DAO. We had also shared our previous findings with Avsa and Blockful in their first thread reporting this vulnerability. We hope DAO can find a way to be fair in their overall assessment of compensation for involved parties.
We would also like to kindly request Blockful to include us in their TempCheck and earmark 10% (= $10,000) of their USDC rewards and 4.5% (= $10,000) of their ENS rewards for us.
ENS DAO hired Blockful, not person a, b, and c. Whoever did the work shouldn’t be pertinent to the customer.
I worry this proposal sets a precedent that every service provider should list the work they’ve done that wasn’t in their application and retroactively charge the DAO for it.
I’m glad that we are protecting the DAO through your work, but it’s surprising as I don’t think people knew you had intended to charge for it. If that had been known up front, there could have been an RFP process to find a market rate for this service and agreed upon terms.
Hello from dev B @NameSys
here’s old report from 2022 that @NameSys forgot to link…
This bounty request should follow ENS Bug Bounties | Immunefi process before requesting DAO to match that bounty with 15K vested $ENS.
Funds available in Immunefi/ENS bug bounty program
$237,877.17
*I’m not sure if current bug bounty/eligibility criteria forbids service providers &or grant receivers from bug bounty?
From immunefi/ens bug bounty Info.
So you’re suggesting that we should have done an RFP and exposed a vulnerability to solve it?
This should be seen more like a bug bounty than service providing. That said, it sets a positive precedent that responsible vulnerability disclosure and correction are rewarded, encouraging future security contributions.
A bug bounty just shows the vulnerability and how feasible it is. A critical bug of $250k USDC in the ENS Immunity program. This is not a code vulnerability, but it still is a vulnerability, and the actions taken were the result of research.
And if there was no research and responsible disclosure, there is a scenario where the subject we would be chatting about today could be “How to continue ENS with the protocol captured and no treasury”. It seems crazy, but that was really how dangerous the situation was. The report clearly shows this.
We reported and raised awareness to the right stakeholders, solved the issue, and gave more time to find an appropriate solution in the next 2 years. So it was more than just a common bug bounty reporting, and yet it’s closer to $250k than $1m per quarter of the market rate of OZ on Compound (and that was exploited exactly by that attack vector).
I can understand where you come from. It is worth reiterating that blockful provides services for ENS DAO inside this scope. Finding and solving an attack vector is another completely different thing. If the research done didn’t show any issue, then this proposal wouldn’t exist. It’s focusing on the outcome, not on the work.
In this case, yes. Firstly, the vulnerability was exposed as soon as you posted about it in the forum. The solution came way later. Secondly, this is not a standard bug vulnerability where exposing it leads to a larger attack surface, because only one wallet could do the attack and they, I am sure, know the vulnerability already. If this wasn’t the case, you wouldn’t have disclosed the vulnerability first and then created the veto solution weeks later. This could have been an RFP after the initial disclosure. I agree with Limes on this. If this was an RFP, we’d have submitted our tested codes within 24 hours because we had already written and tested that suite after our first disclosure two years ago. It always seemed like Blockful was doing this work as a service to the DAO, and we didn’t interfere. Only now we have found that Blockful had plans to demand a large bug bounty. It wasn’t at all clear.
This isn’t the attack vector and metric to be concerned.
One actor can have 1 or 100 different wallets. Recently, there was an unknown whale that is accumulating a lot of tokens in one wallet, showing how feasible it is. But it could go under the radar if it used much more wallets… (which probably it’s)
The main metric that is the concerning attack vector and reason to attack ENS governance is:
Liquid treasury (the treasury not considering the DAO’s native governance token) - value of delegated tokens.
That’s the current situation without the outcomes of the research. I don’t think it’s safe.
This vector has existed since March 2023, after your work. I can’t consider your work as part of the bounty since it wasn’t used to guide the outcomes and doesn’t expose the actual reason for attacking the DAO, as you can see above. Sorry.
Blockful was hired to do other work, not this. I definitely don’t think we should set the precedent that being a service provider renders you ineligible for bug bounties (which part of this request effectively is), or to be compensated for other work outside the scope of your service provider responsibilities, whether requested proactively or retroactively.
I think it’s sensible to look at this as a combination of bug bounty and retroactive grant request. Both have a healthy history in this DAO and the wider Ethereum ecosystem. By doing the work first and requesting compensation later, Blockful were putting the wellbeing of ENS ahead of their own remuneration, and accepting the risk that they would not get paid for their work.
Though this followed responsible disclosure - allowing us to put the Veto contract in place first - it wasn’t submitted via immunefi, and it’s too late to do so now. I’m not sure offhand if it would be ruled in-scope, but in my mind it definitely warrants a bounty regardless.
I think it would set a bad precedent to disallow them. Obviously nobody should be eligible for a bounty on code he himself wrote, of course.
I would need to check to be sure, but I believe Blockful also disclosed attack vectors that require less capital outlay and risk for the attacker, such as incentivizing delegation to them.
I am biased because I participated in the research (but will not participate in any compensation regarding the issue) but I want to say the issue was not a simple 51% attack.
Together with Blockful we wrote a report that circulated internally describing how the attack could be done with as little as 20k ENS per month, by building a defi protocol (which Blockful was actually considering building before we found this) that would reward people who delegated to you. That could even be made cheaper if you were able to achieve a large amount of delegation quickly and borrowed (and shorted) the ENS needed.
Also, Blockful researched and fixed the issue with the Cancel function not working properly which meant the 2 day delay of the time lock was useless and lead to the creation of the security council.
the potential for an attack on the ENS DAO poses a significant risk not just to our this governance, but to the confidence in decentralized models across Ethereum. A successful attack on ENS could undermine trust in governance structures, discourage participation, and deter investment across other projects in the space. This concern isn’t limited to ENS—it affects the whole ecosystem.
The need to differentiate between various types of vulnerabilities is paramoutn. This distinction is essential for determining when retroactive funding is justified and how we allocate resources to mitigate risks effectively. By clearly defining categories—such as proven vulnerabilities, potential vulnerabilities, executed but undiscovered vulnerabilities, and theoretical vulnerabilities—we can establish more transparent criteria for evaluating claims for compensation. This “line in the sand” helps ensure that retroactive funding is fair, justifiable, and proportional to the severity and impact of the issue identified. Where as some individuals have also spent hours of their own time with out any direction by any persons officially attached to ENS with little or no response. Providing potential vulnerabilities has proven to not meet a standard for reward or retroactive compensations. The fact that multiple potential threats have been raised, with little action taken in response, raises concerns about how seriously governance structures are treating these potential risks.
If we want to actually strengthen the DAO to protect against attacks that involve majority control, then the DAO should consider spreading more tokens across more continually active members that have proven to consistently show face and be active in their contributions.
Since this also relates to protecting the DAO via token ownership. I would like to say that I believe the top 100 contributors on the forum should have at least 20k ens tokens. Yet we are continually giving tokens to the same people and worry about majority attack potential despite knowing that those working on ENS are highly unlikely to so something like this… but yeah. just my thoughts.
I’m generally in favor of this proposal, but I would like to address concerns raised during a Meta-Governance Working Group call and in this thread which highlight some ambiguity regarding Blockful’s engagement with the ENS DAO.
Specifically, questions have emerged about whether Blockful’s efforts to identify and address a governance attack vector fall within the scope of their Service Provider engagement.
Blockful’s Service Provider Scope:
In their Service Provider Application, while security reviews for executable proposals were included, Blockful excluded “DAO tooling to benefit the whole ecosystem” from their responsibilities as a result of their security review.
Blockful contends that their role as a Service Provider allowed them to conduct deeper governance analysis, resulting in contributions like the creation of the Security Council, as noted in their report. However, these contributions may not fall under their original scope.
It seems the DAO knowingly engaged Blockful for the services outlined in their Service Provider application, with the understanding that certain tasks, such as “DAO tooling to benefit the whole ecosystem,” would fall outside the scope.
The question now is: does the governance security bounty fall under “DAO tooling,” and if so, shouldn’t the bounty be awarded by Meta-Governance? Or is it more like a bug bounty, as mentioned earlier in the thread? I’ll let @alextnetto.eth elaborate, but it seems that Security Review is an emergent responsibility deserving compensation for its successful contribution.
Should Security Review fall under the purview of Meta-Governance? If so, consideration should be given to including it in the budget for future terms, ensuring the onus does not fall on the DAO as a whole. Additionally, this discussion calls for a closer look at procedure, as we should strive to avoid ambiguity wherever possible.
Incentives matter. Approving this proposal sends a strong message. If you see a problem and you fix it for ENS in a responsible way, you will be rewarded.
One concern is the perceived overlap of duties.
[Gov] Security review for executable proposals
As discussed in multiple working group meetings, it would be great to have a third party verifying executable proposals. At Blockful, we also do security reviews (audits). - source
Rereading their initial application, it is quite clear that their governance portion was limited to reviewing executable proposals. This is not that.
The other issue is the amount of compensation. Per Netto, this could have cost ENS $150M; this understates the true cost due to incalculable reputational damage to ENS.
ENS’s official bug bounty has a max payout of $250k for a critical smart contract bug. That’s done to prevent existential threats to ENS by encouraging responsible disclosure. While I do not think this falls into the parameters of that program, it is useful as a point of reference for how ENS views critical problems.
The value of this proposal as presented is roughly $370k. This seems priced right with positive externalities, especially considering the vesting. I appreciate Netto handling this discussion with grace.
I fully support Blockful receiving compensation for identifying this risk and implementing a mitigation. I will be voting in favor of this temp check.
One administrative critique is that since we’re denominating the value of this work in dollars, for simplicity, I expect that future similar requests are expressed only in USDC or equivalent stable coins.
The DAO has available USDC for these expenses and we are already exploring governance alignment through other programs.
This is a tough one. I can see the issue with Blockful also being a service provider to the DAO for a similar service and how this looks a bit weird.
Also agree we should reward people who do good by the DAO and send the right message.
So leaning positive here, but would like the procedures for these stuff to be better stated in the future to avoid ambiguities. The problems/ambiguities are very well explained by @estmcmxci 's post.
