It is decent work by Blockful and deserves fair reward.
However, the critical vulnerability is a basic 51% governance attack that doesn’t even need an introduction, and its potential impacts and possibilities were disclosed apriori 2 years ago by us on the forum. No action was taken at that time though since no single wallet exceeded the quorum at that time. 2 years later, someone has collected the tokens and made the possibility very real using a single wallet only. Enter Blockful and claim the discovery for itself. The solution is a simple veto which is hardly imaginative and hardly a permanent fix.
While Blockful should be rewarded for bringing to attention a growing threat, the amount that they are requesting is excessive, especially since they are a service provider already. Not to mention, they are carrying forward the work on a threat vector which was already disclosed; the only difference is that now a single wallet could capture the DAO instead of 2-3 wallets at the time of our disclosure.
We believe that NameSys should also be awarded a small amount of $10,000 in USDC and $10,000 USD equivalent in ENS tokens, alongside the reward to Blockful. Their work was far more extensive than ours and they should receive a major share. We however, were first to detail and disclose and determine the extent of governance risk to ENS DAO. We had also shared our previous findings with Avsa and Blockful in their first thread reporting this vulnerability. We hope DAO can find a way to be fair in their overall assessment of compensation for involved parties.
We would also like to kindly request Blockful to include us in their TempCheck and earmark 10% (= $10,000) of their USDC rewards and 4.5% (= $10,000) of their ENS rewards for us.