Story of a Bee - Why Farming was Delayed

Hello everyone

Farming went live a few days ago, but many wonder - why the delay? It was supposed to be
released roughly 2 weeks ago and so, in this post, I’ll explain what happened behind the
scenes.

September 23rd: Suspicion
On September 23rd I put up proposal #17. I was asking for 12.5 Honey in return for community growth. Just a regular proposal, right? Yes, but only for some time.

When there were around 23-24 hours left, my friend contacted me about a bug. I thought he
was trolling at first.

What was the bug?
You could vote on any proposal unlimited times, provided you had Honey from the start. This meant the following - anyone could drain the common pool within hours, if not minutes, if they put some time into it, dump 6,000 Honey tokens on Honeyswap and bridge back over to Ethereum mainnet with hundreds of thousands of dollars, if not millions. So, out of curiosity we tested out the bug with minimal amounts on proposal #17, but there was one problem - when the proposal became executable, we couldn’t execute. There was no Metamask popup, nothing. Within a few minutes I contacted Ikngtn, he’s one of the Seed members, and he executed the proposal for me. Ikngtn mentioned that the platform had a lot of frontend bugs, so we tried the bug once again to see if it was the use of the bug that made the proposal unexecutable.

September 24th: 100 Honey
The very next day, after proposal #17 passed, we put up another one, this time, we wanted to
see if we could:
a) Fund the proposal from start to finish with the bug
b) Execute it without the devs
Few hours were left until we could execute it and the devs contacted us via a Twitter post that
we included in the proposal. The proposal got removed.

The deal:
The deal both parties agreed to was the following - 50 Honey tokens were to be paid, after that,
we would share our knowledge about the bug and after 2 weeks, when the bug was going to be
fixed, the devs would support our proposal for 50 Honey tokens. 50 beforehand and
50 after the bug was fixed.

2 weeks pass and the devs refuse to support our proposal. Why? Because we used the bug on
2 separate proposals and they claimed our intent was malicious from the start.
Problem with the accusations is that, yes, we used the bug on proposal #17, but, as I stated
before, we could NOT execute the proposal, one of them had to do it manually for us. We
weren’t sure if it was the bug that caused another bug and so we gave it another try the next
day. We were still experimenting with the bug.

All of the projects are based on trust. However decentralized they might claim to be, everything
starts off centralized and as usual, the power, authority and fame that 1Hive developers got
from Honeyswap got to their heads. When we were waiting for them, they thought about the bug
and they thought about it hard. What conclusion did they arrive at? “We paid those guys 50
Honey, why should we pay more? They got enough. What can they do if we don’t pay? Nothing.”

When we asked them to support our proposal, their way of answering could only be compared
to - no, you got enough, now f*ck off. They did not even ask questions, maybe there was some misunderstanding. No, they straight up interpreted the facts however it fit their narrative. Well, only one of them communicated with us at this point. Within a few hours, another dev joined, he said that he saw our point of view and that it was plausible (that we did not have malicious intent from the start) and that he, along with other dev(s), would be supporting our proposal.

They staked 374 Honey tokens on our proposal. 2 days pass and I go to check the proposal and 300 Honey was removed. Why? Few/A mod/s, I’m not going to name anyone, but you know who you’re, made up some conspiracy theory that I somehow: 1) Tried to exploit the bug on 1Hive platform 2) Create a huge botnet which drained xDai Faucet 3) Also create multiple fake BrightID accounts, have them verified and use that to give myself points to manipulate Pollen.
At this fucking point, I’m fucking Kevin Mitnick, aren’t I?

In reality, after I wrote the article on “Honey Faucet” I helped 5 of my friends set up Metamask, Faucet and BrightID (all of them got verified). I had problems with Honeyswap, I could not trade, so I messaged Gabi about it (One of the Seed members), he said he would forward the bug to others.
Then I contacted one of my friends and used his wallet to trade on Honeyswap (I set them up with 50 cents in xDai for gas fees) and it’s because of this reason that they say I own all of the 5 wallets and BrightID accounts. But we all know what they were trying to do and I’m not talking about 2 devs who supported our proposal, I’m talking about the others. They’re looking for reasons to not pay us the rest.

They think they can steamroll us, just because Honeyswap is more or less a successful project.
Thinking they were the pioneers of decentralization, in the process, they became the ones they
despise, authoritative leaders who broke the deal they made because power got to them. They know they hold hundreds of Honey and most of the power and authority, what do we have? Just a story.

Why am I writing this here? To tell 1Hive community what really happened. You need to hear
the truth and the truth is, we found a bug by which anyone could drain the common pool
within hours and dump it on Honeyswap market, leaving you holding worthless bags of Honey and
bridging your xDai/Eth to the mainnet. For finding this critical bug, co-operating with the team
and trusting the devs that they would hold up on their end (pay after the bug was fixed), what
did we get? We only got 50 Honey and that, I assume, was just because we would tell them
what the bug was. After we did, they couldn’t care less, they even went on their way to find
any reason, which could be used to not pay the rest and also, to put the cherry on top, accused us of manipulating pollen with multiple verified BrightID accounts and draining xDai Faucet.

This is what power does to people. It corrupts them. They even thanked us for not rinsing them.
But who are they other than few devs with hundreds if not thousands of Honey? It’s the community that would suffer.
For finding this critical bug, we struck a deal, then got told that they would not support our proposal,
then some would eventually support it, but after 2 days, that support got pulled again.

So, I guess, it was us who got their rugs pulled.

This is our proposal, if you feel like we deserve what we were promised for finding the bug which would cost us, not the devs, us, the community, hundreds of thousands of dollars, if not millions, feel free to support our proposal - https://1hive.org/#/proposal/88

Thank you for everything.

6 Likes

People have been asking for proof, here is a screenshot from Discord channel - https://imgur.com/a/AqJQZPC

5 Likes

While I can see you’re point, you got well over $50k for reporting a bug and you’re complaining about the other 50? I’d just leave it. Can you post your wallet address where you received the 50 so we can see if you’ve been dumping?

3 Likes

While I can see you’re point, you got well over $50k for reporting a bug and you’re complaining about the other 50?

lol, I agree.

They are actually really complaining about a 50HNY (~50k usd) reward for a bug discovery?

1 Like

Following your logic, anyone can agree to any deal and not follow through because of personal reasons.

Here is the wallet - https://blockscout.com/poa/xdai/address/0xD941c7cB6047fF41701b00997A13Df82EE70f405/transactions

We sold 50 Honey, took out 30% or so and were keeping the rest in the following wallet - https://blockscout.com/poa/xdai/address/0xb27eb2C13CCECa4d105D5Fc1eBa080AF74E80A27/transactions

Our plan was to provide liquidity when farming went live with remainig Honey that we would receive.

5 Likes

We made a deal. Devs agreed to 100 Honey in total, 50 before and 50 after. We haven’t received 2nd half because they don’t want to pay anymore.

If you feel comfortable trusting someone who agrees to a deal and doesn’t follow through, it’s your problem.

5 Likes

I reserve my judgement until Luke posts as I’d like to see more of the conversation but on the face of it this doesn’t put me off honey. I think 50 is more than fair. That’s more than google pays for bug bounty

1 Like

We can discuss what is fair, but the deal was made. It’s not right to agree to something and later on change your mind. Deal is a deal.

6 Likes

I agree with @cryptoclip.
I also wanna point out, that the “conspiracy theory” about you trying to manipulate pollen is not unfunded, id remind you that you and/with this “Chadder” account, once reacted with 5 emojis to the same meme (may i add a really lowfi one).
Ive got no proof that you have malicious intent, but your behaviour does looks supicious as hell to me at least.
I wonder what you would’ve done if you didnt need a seed member to execute the proposals… i guess we will never know.

2 Likes

What would’ve happened if farming went live and the bug were still there. I guess we will never know.

Deal is a deal. Pollen has nothing to do with the bug. That’s just someone trying to find reasons not to follow through.

5 Likes

hello ~ ^.^/
so the reason why you write this because you want 50hyn more ? as part of the deal ~ not because they did not public stating that for inverter into the project ~~

what you wrote is important to know for hyn hold ~ because i know there problem with hyn distribution~

No, the deal was 100 Honey in total. 50 before and 50 after the bug. After 2 weeks pass, the developers decided that we got enough and so they wouldn’t be following through with the deal.

The main point to take away is that - unless the project doesn’t put up official bug bounty programs and/or keeps its word, there won’t be any incentives for people to find bugs/test the platform and people will lose trust in it.

We were not going to get 2nd payment as they agreed either way. This is up to the community at this point.

4 Likes

oki ~ so they changed there mind give you another 50hyn ~ and because of that you dont trust them ?

i do like official bug bounty idea

It’s up to individuals to decide wheather they trust anyone.

5 Likes

I disagree, 50k seems to me like a great incentive
after reading this i actually feel motivated to find bugs lol

3 Likes

What was the price of Honey on September 24th?

There are some concerns in this story.

  1. After you had contacted lkgn and he executed the 12.5HNY proposal did you inform him of this bug? Or did you just exploit it to have the 12.5HNY released to you?
  2. who paid the first 50HNY? or was it from the common pool?
  3. The deal to have the balance of 50HNY given to you via a proposal which the developers and seed will back implies that the conviction voting mechanism means nothing because seeds and developers can just support whatever proposal they wish to pass and it’ll pass or the community will find it difficult to pass a proposal without involving them. or am i missing something here?

Having raised these concerns here is my first impulsive take on this affair as i’m still yet to hear anything from any of the seeds or developers to get the full story.
Not to sound offensive or anything, but i say this is a classic case of greed and here are my reasons. @xdaifandom since you arrived here about 4 weeks ago you have been causing quite a stir :sweat_smile:. From your ridiculous proposals demanding significant amounts of HNY to accusations of sybil attacks to farm pollen, then to accusations of attacking the xDai faucet, and now this. You got 50HNY( $50,000) but you want another 50, using the deal as an excuse to try to force the developers to pay. And when you saw you weren’t getting a cent more, you resorted to denting their reputation and by extension jeopardizing the project.

If you ask me, i quite agree with those that said your intent was malicious because judging from the way you were aggressively fishing for HNY via your proposals(you actually exploited this bug to fund one), its hard not to believe that you actually tried to exploit this vulnerability when it came to your notice, and when you could not exploit it with your friends you decided to go the bounty route because you were unable to execute and claim HNY.

Finally, i cannot begin to explain how important and powerful transparency is in a DAO such as what we have here, and it will be nice if one of the seeds or developers can clear the air. Once again, i’ll continue to preach that any HNY we decide to spend via the common pool should be a fxn of what it translates to in percentage of the honey pot. Paying 1.4% of the total HNY we have in the honeypot because someone discovered a bug is too much IMO.

7 Likes

I don’t want to spend a bunch of time on this so will keep it pretty short.

  1. We didn’t have an established bug bounty program, establishing one with the community should be a priority so that expectations can be aligned in the future.
  2. After the issue was reported (publicly on twitter) we got in contact with the party (calling themselves chadder) at the time, they presented themselves as a group of security researchers/devs who would provide insight into the issue and be ready to audit the issue after it had been resolved.
  3. As soon as the issue was reported we started to investigate and pretty quickly found that the issue was related to a mistake in the installation when we updated conviction voting to support signaling proposals. Their is a step where the conviction voting app is registered with the token manager that ensures that when a transfer happens, the conviction voting app can call a function to ensure that the transferred tokens don’t continue to accrue conviction. This was a big mistake on our part and put the common pool honey at risk, we had reserved the ability to adjust the conviction voting parameters from a dev account, and used that to disable conviction funding proposals until the issue could be resolved.
  4. While we were confident that we had found the issue before it was fully disclosed, and were able to mitigate, we wanted to work with the guy who reported it and assumed that they were being upfront about things, and while the requested amount seemed high (even for high severity bug disclosures) we didn’t have a policy, liquidity was low, and ideally this team of security researches would end up also supporting the project in the future. So we agreed to pay 50 honey among ourselves directly, and support a proposal for the other 50 honey after everything was resolved.
  5. After paying, it seemed pretty clear that chadder was not actually a security researcher or dev, but more of an opportunist who happened to find an obvious issue but didn’t completely understand how the contracts were working. After further investigation we realized that the account that made the proposal was related to the an earlier proposal by xdaifandom where the bug was also used, and so we concluded that it was likely xdaifandom or someone close to him that was chadder. We confronted him, because we felt that we had been mislead and that the disclosure was not really responsible and was purposefully hiding relevant details.
  6. We weren’t really sure how to proceed with the second half of the proposal, and there were differing opinion, I don’t want to speak for others but my opinion on the situation is this, xdaifandom/chadder has already gotten well compensated for reporting a serious issue, but has been deceptive and dishonest in how he has interacted, both in this situation but also with respect to his initial proposal (which was approved but then none of the promised output materialized), and in his interactions with multiple accounts (chadder and xdaifandom and possibly others) on discord, and so despite agreeing to support the proposal initially, I do not intend to support it now, and would encourage others not to either.
16 Likes

Conviction proposals work based on an activation threshold, it doesn’t require consensus, and so if there is sufficient support to pass a proposal it can be passed even by a minority of stakeholders. This is a feature of the system and in my opinion is what makes it such a useful mechanism for a DAO, because its possible for stakeholders to take the DAO in opposing directions without the need to reach consensus, and the mechanism itself regulates this process such that the flow of funds is limited with respect to stake and time.

That said, the current iteration of conviction voting isn’t perfect especially since stake is still relatively concentrated (simply do to parabolic growth over the last month). There is another thread discussing this and some of the potential improvements that could be made (some of which are already actively being worked on) to improve proposals and protect the DAO from whales abusing the proposal mechanism Funding proposal attack vectors

3 Likes

Thanks for clearing the air. I think its now pretty clear what happened. Sometimes it’s good for these sought of things happen, so we can improve and advance to prevent worse from happening.
Two things come to my mind 1) security of our common pool. 2) How to penalize/discourage bad bees(please i am not referring to anyone).

1 Like