Story of a Bee - Why Farming was Delayed

We can discuss what is fair, but the deal was made. It’s not right to agree to something and later on change your mind. Deal is a deal.

2 Likes

I agree with @cryptoclip.
I also wanna point out, that the “conspiracy theory” about you trying to manipulate pollen is not unfunded, id remind you that you and/with this “Chadder” account, once reacted with 5 emojis to the same meme (may i add a really lowfi one).
Ive got no proof that you have malicious intent, but your behaviour does looks supicious as hell to me at least.
I wonder what you would’ve done if you didnt need a seed member to execute the proposals… i guess we will never know.

2 Likes

What would’ve happened if farming went live and the bug were still there. I guess we will never know.

Deal is a deal. Pollen has nothing to do with the bug. That’s just someone trying to find reasons not to follow through.

1 Like

hello ~ ^.^/
so the reason why you write this because you want 50hyn more ? as part of the deal ~ not because they did not public stating that for inverter into the project ~~

what you wrote is important to know for hyn hold ~ because i know there problem with hyn distribution~

No, the deal was 100 Honey in total. 50 before and 50 after the bug. After 2 weeks pass, the developers decided that we got enough and so they wouldn’t be following through with the deal.

The main point to take away is that - unless the project doesn’t put up official bug bounty programs and/or keeps its word, there won’t be any incentives for people to find bugs/test the platform and people will lose trust in it.

We were not going to get 2nd payment as they agreed either way. This is up to the community at this point.

1 Like

oki ~ so they changed there mind give you another 50hyn ~ and because of that you dont trust them ?

i do like official bug bounty idea

It’s up to individuals to decide wheather they trust anyone.

1 Like

I disagree, 50k seems to me like a great incentive
after reading this i actually feel motivated to find bugs lol

3 Likes

What was the price of Honey on September 24th?

There are some concerns in this story.

  1. After you had contacted lkgn and he executed the 12.5HNY proposal did you inform him of this bug? Or did you just exploit it to have the 12.5HNY released to you?
  2. who paid the first 50HNY? or was it from the common pool?
  3. The deal to have the balance of 50HNY given to you via a proposal which the developers and seed will back implies that the conviction voting mechanism means nothing because seeds and developers can just support whatever proposal they wish to pass and it’ll pass or the community will find it difficult to pass a proposal without involving them. or am i missing something here?

Having raised these concerns here is my first impulsive take on this affair as i’m still yet to hear anything from any of the seeds or developers to get the full story.
Not to sound offensive or anything, but i say this is a classic case of greed and here are my reasons. @xdaifandom since you arrived here about 4 weeks ago you have been causing quite a stir :sweat_smile:. From your ridiculous proposals demanding significant amounts of HNY to accusations of sybil attacks to farm pollen, then to accusations of attacking the xDai faucet, and now this. You got 50HNY( $50,000) but you want another 50, using the deal as an excuse to try to force the developers to pay. And when you saw you weren’t getting a cent more, you resorted to denting their reputation and by extension jeopardizing the project.

If you ask me, i quite agree with those that said your intent was malicious because judging from the way you were aggressively fishing for HNY via your proposals(you actually exploited this bug to fund one), its hard not to believe that you actually tried to exploit this vulnerability when it came to your notice, and when you could not exploit it with your friends you decided to go the bounty route because you were unable to execute and claim HNY.

Finally, i cannot begin to explain how important and powerful transparency is in a DAO such as what we have here, and it will be nice if one of the seeds or developers can clear the air. Once again, i’ll continue to preach that any HNY we decide to spend via the common pool should be a fxn of what it translates to in percentage of the honey pot. Paying 1.4% of the total HNY we have in the honeypot because someone discovered a bug is too much IMO.

7 Likes

I don’t want to spend a bunch of time on this so will keep it pretty short.

  1. We didn’t have an established bug bounty program, establishing one with the community should be a priority so that expectations can be aligned in the future.
  2. After the issue was reported (publicly on twitter) we got in contact with the party (calling themselves chadder) at the time, they presented themselves as a group of security researchers/devs who would provide insight into the issue and be ready to audit the issue after it had been resolved.
  3. As soon as the issue was reported we started to investigate and pretty quickly found that the issue was related to a mistake in the installation when we updated conviction voting to support signaling proposals. Their is a step where the conviction voting app is registered with the token manager that ensures that when a transfer happens, the conviction voting app can call a function to ensure that the transferred tokens don’t continue to accrue conviction. This was a big mistake on our part and put the common pool honey at risk, we had reserved the ability to adjust the conviction voting parameters from a dev account, and used that to disable conviction funding proposals until the issue could be resolved.
  4. While we were confident that we had found the issue before it was fully disclosed, and were able to mitigate, we wanted to work with the guy who reported it and assumed that they were being upfront about things, and while the requested amount seemed high (even for high severity bug disclosures) we didn’t have a policy, liquidity was low, and ideally this team of security researches would end up also supporting the project in the future. So we agreed to pay 50 honey among ourselves directly, and support a proposal for the other 50 honey after everything was resolved.
  5. After paying, it seemed pretty clear that chadder was not actually a security researcher or dev, but more of an opportunist who happened to find an obvious issue but didn’t completely understand how the contracts were working. After further investigation we realized that the account that made the proposal was related to the an earlier proposal by xdaifandom where the bug was also used, and so we concluded that it was likely xdaifandom or someone close to him that was chadder. We confronted him, because we felt that we had been mislead and that the disclosure was not really responsible and was purposefully hiding relevant details.
  6. We weren’t really sure how to proceed with the second half of the proposal, and there were differing opinion, I don’t want to speak for others but my opinion on the situation is this, xdaifandom/chadder has already gotten well compensated for reporting a serious issue, but has been deceptive and dishonest in how he has interacted, both in this situation but also with respect to his initial proposal (which was approved but then none of the promised output materialized), and in his interactions with multiple accounts (chadder and xdaifandom and possibly others) on discord, and so despite agreeing to support the proposal initially, I do not intend to support it now, and would encourage others not to either.
16 Likes

Conviction proposals work based on an activation threshold, it doesn’t require consensus, and so if there is sufficient support to pass a proposal it can be passed even by a minority of stakeholders. This is a feature of the system and in my opinion is what makes it such a useful mechanism for a DAO, because its possible for stakeholders to take the DAO in opposing directions without the need to reach consensus, and the mechanism itself regulates this process such that the flow of funds is limited with respect to stake and time.

That said, the current iteration of conviction voting isn’t perfect especially since stake is still relatively concentrated (simply do to parabolic growth over the last month). There is another thread discussing this and some of the potential improvements that could be made (some of which are already actively being worked on) to improve proposals and protect the DAO from whales abusing the proposal mechanism Funding proposal attack vectors

3 Likes

Thanks for clearing the air. I think its now pretty clear what happened. Sometimes it’s good for these sought of things happen, so we can improve and advance to prevent worse from happening.
Two things come to my mind 1) security of our common pool. 2) How to penalize/discourage bad bees(please i am not referring to anyone).

1 Like

After paying, it seemed pretty clear that chadder was not actually a security researcher or dev, but more of an opportunist who happened to find an obvious issue but didn’t completely understand how the contracts were working.

We never claimed to be research specialists nor devs, not me at least. I do some coding, but not as a job.

After further investigation we realized that the account that made the proposal was related to the an earlier proposal by xdaifandom where the bug was also used, and so we concluded that it was likely xdaifandom or someone close to him that was chadder. We confronted him, because we felt that we had been mislead and that the disclosure was not really responsible and was purposefully hiding relevant details.

All the attention was on 100 Honey proposal. My friend, who is actually a developer, used the bug on the proposal, which got executed from your end. Amount of Honey that was used did not affect the vote to the point of it passing because of the bug. The argument that we exploited the bug to steal 12.5 Honey does not hold up. All the contract interactions can be verified via Blockscout.

I guess I could’ve agreed to revealing what the bug was, but after getting 50 Honey, I could’ve just asked for more and then ditched, because I didn’t fell comfortable. Great morals and principles.

1 Like

The deal was 50 HNY prior, 50 HNY in a proposal people could vote on. Everyone in Seed was prepared to vote yes on your proposal until we found out that you had hidden information from us and acted like it was reponsible disclosure.

When you were confronted with this fact you essentially resorted to blackmailing Seed, which is why everyone lost their trust in you even more. I decided to support your proposal anyway, but when I had suspicions that you might be gaming Pollen, taking away cred from people who contribute to the community, I had to pull my support too to figure out if that was the case.

I approached you in DMs, willing to hear your side of the story (albeit I did feel defeated and fooled), and I haven’t had time to reply to you, even though I clearly stated that I was super busy from the get go, which would lead me to reply slower than normally.

Your entire post is riddled with false statements, or at least overstatements, e.g.:

I don’t think it is technically feasible to drain CV within minutes. It would take more time, and people would notice by then. Sure, it might have been possible to drain some funds, which of course is bad, but I think you are blowing it a bit out of proportions to make it seem worse than it is.

As I mentioned previously in our post, we agreed to pay 50 HNY up front and have a proposal that the community could vote on. It is again important to remember that Seed is not “the devs”, Seed is a collection of early community members who still contribute regularly to 1hive. None of us are under any obligation to act as a single unit, quite the contrary, we have always been very much for people to act on their own accords. Seed members paid 50 HNY out of their own pocket to have you even divulge a single thing about the bug. This is not how it usually works. Usually, you report the bug, state how to reproduce it, state your assessment of the severity and then the bounty is assessed.

The fact that you lost the trust of most of the early contributors early on is your own fault. You hid information from us and then decided your best course of action was not to explain yourself, but to talk down to the people who confronted you and essentially threaten them with community backlash.

I decided to still vote on the proposal, which was a somewhat unpopular choice, but I did it anyway. When I found out you were potentially gaming Pollen too, I had to withdraw support to get that settled as well. I saw your reply in my DMs, and I was given not even 3 days to reply even though I was extremely busy.

This is not true. I am not aware of anyone saying that to you. People have told you that the original agreement was 50 HNY from Seed members for you to even start talking about the bug - which is not how it usually works by the way, usually people disclose the bug and then the bounty is assessed - and then 50 HNY in a proposal the community could vote on. None of us were ever of the attitude that we wouldn’t support your proposal because “we could get away with it”.

I approached you willing to hear your side of the story because most of the accounts that you interact with on the Discord to mint cred were connected to you and the initial bug bounty. They had all either received Honey from the bug bounty recipient address or had only ever interacted with the address tied to your “anonymous security researcher” identity. I was suspicious, so I pulled support, and then I asked you. I never suggested that you created a botnet, I just pointed out that some of these accounts had also engaged in draining the xDai faucet.

This is also not true. I explained to you how it works. The community could vote on the proposal, I pulled my support as a community member because of my suspicions/concerns, I asked to hear your side of the story, I explained my response was gonna take some time because I was busy, and I even told you that it is well within the original parameters of the agreement that you would seek support from other community members.

I do not have an issue with you seeking support on your proposal from other community members, which is what this thread is I guess, but I do take issue with the way you seem willing to twist the story, jump to conclusions and omit key facts of the story as well to gain support.

I supported your proposal even though I was skeptical of whether I could trust you or not. I grew even more suspicious and I pulled support and asked you to clarify. I do not care for you painting me as a villain when I just wanted clarification. If you were me, would you not do the same? Would you not pull support, just in case, and ask for clarification? Or would you support the proposal from a community member who you might suspect of not being an honest actor?

Lastly, it is important to me that the community understands that Seed is just a collection of early communiy members. If you want to support his proposal, that is well within your rights as a community member, as it is likewise within our rights as community members to not support his proposal.

9 Likes

Around between $950 and $1000.

  1. Bug was used on #17, but not to the point of it passing because of it. There was one vote with 100 Honey, in total, it reached 200 votes. You can verify all the contract interactions via Blockscout.
  2. I believe it were from developers
  3. Payment method we agreed on was via 1hive platform, conviction voting, rest of the Honey would be taken out from the common pool. Agreeing to a deal by which you’re supposed to support a proposal on 1Hive, does not imply you it’s a free choice i.e. not vote because you changed your mind.

I did not get 50 Honey ($50,000). I only got 30%, rest are my friend’s as it should be. He was generous enough to cut me in and the 2nd part wouldn’t go to me.

I’m having a hard time understanding your position. Developers, one who hold the power, really, can make deals and promises and then back off whenever they feel like it, for example “He got enough” and if other party makes it public, then that’s considered bad? Why exactly?

“(you actually exploited this bug to fund one)” If you don’t have relevant facts to back up your claims, don’t make accusations. You can verify all the contract interactions which prove it was not the bug which made it possible for Ikngtn to pass proposal #17.

“and when you could not exploit it with your friends you decided to go the bounty route because you were unable to execute and claim HNY.” Then why did we put up another proposal the very next day if we could not execute it? To exploit it? How exactly, because proposal wasn’t executable like you mentioned.

Paying 1.4% of the total HNY we have in the honeypot because someone discovered a bug is too much IMO.

I think having the entire DAO fund stolen and dumped on the market losing millions is too much of a risk, if you ask me.

1 Like

No. We do not hold any specific power any other community member does not. We’re not considering you making it public that you have a proposal up for a bug bounty bad, and we don’t consider it bad that you want support.

We consider it bad that you obfuscated and purposefully omitted information from us. We consider it bad that you are still seemingly trying to game/exploit other systems, and we consider it bad that you are not telling the truth. The proposal was always meant to be something community members could vote on, including Seed. That community members from Seed chose not to support it because they did not trust you to act honestly is a different story entirely, and is well within our rights as community members.

I even told you that you could look for support from other community members. That is well within YOUR rights as a community member, and that is what the original agreement was.

2 Likes

After reading all the posts on both sides, all I can say is the DAO is the rule. If the community for whatever reason lost faith xDaiFandom and did not support the proposal, they were free to do as well as he is free to believe they are not fair. At the end of the day, this is what the DAO governance mechanisms are for. It is good for the rest of the community to know the story but to me personally, the story is over. I may have my personal opinion on things as if the amount was too much or if xDaiFandom or the rest of the team acted honestly, they are just personal opinions. End of the story.

14 Likes

I see you haven’t looked into the accusations about me manipulating other systems such as Pollen or xDai faucet, because I provided every detail from Blockscout to Discord DMs to prove otherwise.

Either way, if anyone wants to support it, they can. It’s up to everyone individually.

1 Like