Retroactive Bug Bounty

Another upgrade was made to the NFTX contract this morning (following a successful DAO vote). As most readers are aware, fund creation has been paused for the past couple weeks. Earlier last month, samczsun contacted me about a possible high level exploit which I will attempt to explain.

Background

Basically the NFTX contract works by creating an ERC20 token and linking it with the address of an ERC721 such that the only way to mint the ERC20 is to deposit the ERC721. However, the NFTX contract does not actually create the ERC20 token itself, that is a separate operation which happens right before. What samczsun realized is that it would be possible to create a new fund using an already existing ERC20 fund token. For example, someone could make a new “fund” with the existing GLYPH token and an arbitrary NFT contract (like GodsUnchained). After the new fund is created, that GLYPH token would then be connected to two different NFTs at once (both Autoglyphs and GodsUnchained), which would allow the attacker to mint GLYPH by depositing GodsUnchained cards (that are less scarce and less expensive). Then the attacker could use their new GLYPH tokens to redeem the more expensive autoglyph NFTs.

Solution

The patch for the contract is to delegate ERC20 token creation to the createVault method, so that a new erc20 token is always deployed for each new fund. We have also implemented this in such a way that should save on gas during fund creation. Big thanks to Owen (and also Vasa) for helping.

Proposal

We have not paid samczsun back yet for bringing this to our attention. I believe a reward of at least $50,000 should be given to him, from the treasury—if everyone is okay with that. I am also open to other figures of course.

Final Comments

After this particular bug bounty to samczsun is paid out we can consider a general system for bug bounties in the future.

Poll
  • Yes, withdraw $50k of ETH from treasury
  • No, let’s consider an alternative

0 voters

100% onboard, as this amount seems to be in line with other DeFi bug bounties for critical severity bugs.

Will vote yes.

2 Likes

Certainly need to show that we’re paying bounties on bugs.

As long as this is inline with what others in the industry are willing to pay I agree.

1 Like

As mentioned fully for this to become a snapshot proposal. As we’ve doubled down on a structured process for governance (thanks @finesseboi!), I’ve rephrased your story into a structured draft proposal below.

If no one objects in the coming 24h, I’d suggest to push this on Snapshot as a 48-hour lasting vote. When this vote passes, we can pay Sam on Tuesday.


XIP#2 Pay bug bounty to Samczsun

Authors

ChopChop

Glossary

DAO
Bug bounty
ERC721
ERC20

Summary

This proposal is intended to pay out a bug bounty of $50.000 to samczsun who has discovered a bug of critical severity on the vault creation contract of NFTX. The vulnerability was disclosed in private to Alex Gausman and was swiftly dealt with top priority, resulting in a contract upgrade.

Rationale

A potential exploit was found by samczsun which caused the DAO to pause the creation of new vaults (Index funds) until a patch was available.

From Alex Gausman: “The NFTX contract works by creating an ERC20 token and linking it with the address of an ERC721 such that the only way to mint the ERC20 is to deposit the ERC721.

However, the NFTX contract does not actually create the ERC20 token itself, that is a separate operation which happens right before. What samczsun realized is that it would be possible to create a new fund using an already existing ERC20 fund token.

For example, someone could make a new “fund” with the existing GLYPH token and an arbitrary NFT contract (like GodsUnchained). After the new fund is created, that GLYPH token would then be connected to two different NFTs at once (both Autoglyphs and GodsUnchained), which would allow the attacker to mint GLYPH by depositing GodsUnchained cards (that are less scarce and less expensive). Then the attacker could use their new GLYPH tokens to redeem the more expensive autoglyph NFTs.”

For discovering and pointing it out to us this critical potential exploit we propose to pay a grant of $50,000 dollars (paid in ETH), in line with industry standard (i.e. https://uniswap.org/bug-bounty)

This potential exploit has been overlooked by the original auditor, as well as Alex. For future contract upgrades, it will be critical for the DAO to keep attention on security reviews as possible to make sure user funds remain unaffected.

Effect

Opportunity

  • Reward samczsun for disclosing the potential exploit, showing that NFTX as an organization highly values efforts put into reviewing code and reporting potential mishaps.
  • Set future precedence for others to disclose such information in the same fashion.

Risk

  • Moving forward, we must work on creating a NFTX bug bounty program so that the process is transparent about what is to be expected when reporting bugs/exploits. People shouldn’t be under the impression that contract upgrades, exploit disclosures and other similar activities are always dealt with on a case-by-case basis.

Specifications

If this proposal passes, samczsun will be paid $50.000 (fifty-thousand dollar) from the treasury, paid in ETH, to a wallet address of choice.

To acquire this amount, $50.000 worth of ETH will be taken from the treasury which can be tracked on Aragon.

Funding request - Yes - Implementation Requires Funding

  • $50.000 worth of ETH.

Communication

Proposed points of discussion.

  • Who volunteers to work on a bug bounty program proposal?
  • Bounty Amount vs Total Exploitable Amount

Quorum (For forum)

  • Minimum Quorum: At least 5 votes
  • Passing Threshold: More than 50% must vote in agreement for the XIP to Pass. For changes to the NFTX contract, more than 70% must vote in agreement for the XIP to pass.
4 Likes

Vote now active on Snapshot!

https://snapshot.vote/#/nftx.eth/proposal/QmV6taLorJ5eGxB5XqxJWNm3dm76kLEdvoPDG53k8ecBg8