Proposal Link
https://gardens.1hive.org/#/xdai/garden/0x8ccbeab14b5ac4a431fffc39f4bec4089020a155/proposal/109
Proposal Information
Proposal description:
I would like to request a compensation in honey for everyone who helped securing 1hive after the Honeyswap domain hijack and after the discovery of critical vulnerability that was found in the Hooked Token Manager.
- In the honeyswap domain hijack, we secured the domain, pushed a new frontend so everyone’s browser cache would be flushed, and returned the funds of everyone who got rekt.
- More recently we received a bug report on a critical vulnerability on the token manager that could obtain most of the funds of the Unipool contract of a Boboli Garden. Presumably the problem has been solved before it could be exploited by anyone.
Proposal Rationale
Keeping 1hive, its services and the rest of the gardens safe is a must. We passed proposals to return the funds to the people who lost the funds and to reward the people who reported the token manager bug, but we haven’t rewarded the people who solved the problems from the 1hive side yet.
Expected duration or delivery date (if applicable):
N/A
Team Information (For Funding Proposals)
Names, usernames, and/or relevant social links for team members (Twitter, Github, 1Hive Forum, etc.):
Honeyswap domain hijack (based on the chat messages, maybe I’m leaving somebody outside unfairly, please tell me so if it’s the case):
- lkngtn - was the one who dealt with the domain company, and got the most troubles by the incident.
- gabi - one of the first people to act, and who dealt with the migration of the services to more secure places (cloudflare, ens…)
- sem - worked non-stop all the week to secure the site and return the funds to everyone.
- luigy - brought a lot of expertise on top of the table to deal with the problem.
- mrtdlgc - dealt with the communications with the community.
- DogeKing - conducted initial research of the hack, dealt with communications and people who didn’t receive the reimbursement the first time.
- solarmkd - dealt with communications and helped people who didn’t receive the reimbursement the first time.
Token manager exploit:
- sem - performed the changes in the contracts, redeployed them, and created the upgrade votes with EVMcrispr.
- gabi - reviewed the changes, found the address who could upgrade the token manager.
- will - reviewed the changes, executed the transaction to publish the new version in the APM.
Funding Information (For Funding Proposals)
Amount of HNY requested:
385 HNY (~$15,000 at current price)
Ethereum address where funds shall be transferred:
0x946fF42F745b2573c540fDAaE584e3DE48bE77C0
More detailed description of how funds will be handled and used:
We will perform two coordinapes to distribute the funds between the people who helped mitigate the issue.
- $10,000 worth of HNY will be distributed among the people who contributed solving the 1hive domain hijack.
- $5,000 worth of HNY will be distributed among the people who contributed solving the token manager exploit.