After paying, it seemed pretty clear that chadder was not actually a security researcher or dev, but more of an opportunist who happened to find an obvious issue but didn’t completely understand how the contracts were working.
We never claimed to be research specialists nor devs, not me at least. I do some coding, but not as a job.
After further investigation we realized that the account that made the proposal was related to the an earlier proposal by xdaifandom where the bug was also used, and so we concluded that it was likely xdaifandom or someone close to him that was chadder. We confronted him, because we felt that we had been mislead and that the disclosure was not really responsible and was purposefully hiding relevant details.
All the attention was on 100 Honey proposal. My friend, who is actually a developer, used the bug on the proposal, which got executed from your end. Amount of Honey that was used did not affect the vote to the point of it passing because of the bug. The argument that we exploited the bug to steal 12.5 Honey does not hold up. All the contract interactions can be verified via Blockscout.
I guess I could’ve agreed to revealing what the bug was, but after getting 50 Honey, I could’ve just asked for more and then ditched, because I didn’t fell comfortable. Great morals and principles.
The deal was 50 HNY prior, 50 HNY in a proposal people could vote on. Everyone in Seed was prepared to vote yes on your proposal until we found out that you had hidden information from us and acted like it was reponsible disclosure.
When you were confronted with this fact you essentially resorted to blackmailing Seed, which is why everyone lost their trust in you even more. I decided to support your proposal anyway, but when I had suspicions that you might be gaming Pollen, taking away cred from people who contribute to the community, I had to pull my support too to figure out if that was the case.
I approached you in DMs, willing to hear your side of the story (albeit I did feel defeated and fooled), and I haven’t had time to reply to you, even though I clearly stated that I was super busy from the get go, which would lead me to reply slower than normally.
Your entire post is riddled with false statements, or at least overstatements, e.g.:
I don’t think it is technically feasible to drain CV within minutes. It would take more time, and people would notice by then. Sure, it might have been possible to drain some funds, which of course is bad, but I think you are blowing it a bit out of proportions to make it seem worse than it is.
As I mentioned previously in our post, we agreed to pay 50 HNY up front and have a proposal that the community could vote on. It is again important to remember that Seed is not “the devs”, Seed is a collection of early community members who still contribute regularly to 1hive. None of us are under any obligation to act as a single unit, quite the contrary, we have always been very much for people to act on their own accords. Seed members paid 50 HNY out of their own pocket to have you even divulge a single thing about the bug. This is not how it usually works. Usually, you report the bug, state how to reproduce it, state your assessment of the severity and then the bounty is assessed.
The fact that you lost the trust of most of the early contributors early on is your own fault. You hid information from us and then decided your best course of action was not to explain yourself, but to talk down to the people who confronted you and essentially threaten them with community backlash.
I decided to still vote on the proposal, which was a somewhat unpopular choice, but I did it anyway. When I found out you were potentially gaming Pollen too, I had to withdraw support to get that settled as well. I saw your reply in my DMs, and I was given not even 3 days to reply even though I was extremely busy.
This is not true. I am not aware of anyone saying that to you. People have told you that the original agreement was 50 HNY from Seed members for you to even start talking about the bug - which is not how it usually works by the way, usually people disclose the bug and then the bounty is assessed - and then 50 HNY in a proposal the community could vote on. None of us were ever of the attitude that we wouldn’t support your proposal because “we could get away with it”.
I approached you willing to hear your side of the story because most of the accounts that you interact with on the Discord to mint cred were connected to you and the initial bug bounty. They had all either received Honey from the bug bounty recipient address or had only ever interacted with the address tied to your “anonymous security researcher” identity. I was suspicious, so I pulled support, and then I asked you. I never suggested that you created a botnet, I just pointed out that some of these accounts had also engaged in draining the xDai faucet.
This is also not true. I explained to you how it works. The community could vote on the proposal, I pulled my support as a community member because of my suspicions/concerns, I asked to hear your side of the story, I explained my response was gonna take some time because I was busy, and I even told you that it is well within the original parameters of the agreement that you would seek support from other community members.
I do not have an issue with you seeking support on your proposal from other community members, which is what this thread is I guess, but I do take issue with the way you seem willing to twist the story, jump to conclusions and omit key facts of the story as well to gain support.
I supported your proposal even though I was skeptical of whether I could trust you or not. I grew even more suspicious and I pulled support and asked you to clarify. I do not care for you painting me as a villain when I just wanted clarification. If you were me, would you not do the same? Would you not pull support, just in case, and ask for clarification? Or would you support the proposal from a community member who you might suspect of not being an honest actor?
Lastly, it is important to me that the community understands that Seed is just a collection of early communiy members. If you want to support his proposal, that is well within your rights as a community member, as it is likewise within our rights as community members to not support his proposal.
Bug was used on #17, but not to the point of it passing because of it. There was one vote with 100 Honey, in total, it reached 200 votes. You can verify all the contract interactions via Blockscout.
I believe it were from developers
Payment method we agreed on was via 1hive platform, conviction voting, rest of the Honey would be taken out from the common pool. Agreeing to a deal by which you’re supposed to support a proposal on 1Hive, does not imply you it’s a free choice i.e. not vote because you changed your mind.
I did not get 50 Honey ($50,000). I only got 30%, rest are my friend’s as it should be. He was generous enough to cut me in and the 2nd part wouldn’t go to me.
I’m having a hard time understanding your position. Developers, one who hold the power, really, can make deals and promises and then back off whenever they feel like it, for example “He got enough” and if other party makes it public, then that’s considered bad? Why exactly?
“(you actually exploited this bug to fund one)” If you don’t have relevant facts to back up your claims, don’t make accusations. You can verify all the contract interactions which prove it was not the bug which made it possible for Ikngtn to pass proposal #17.
“and when you could not exploit it with your friends you decided to go the bounty route because you were unable to execute and claim HNY.” Then why did we put up another proposal the very next day if we could not execute it? To exploit it? How exactly, because proposal wasn’t executable like you mentioned.
Paying 1.4% of the total HNY we have in the honeypot because someone discovered a bug is too much IMO.
I think having the entire DAO fund stolen and dumped on the market losing millions is too much of a risk, if you ask me.
No. We do not hold any specific power any other community member does not. We’re not considering you making it public that you have a proposal up for a bug bounty bad, and we don’t consider it bad that you want support.
We consider it bad that you obfuscated and purposefully omitted information from us. We consider it bad that you are still seemingly trying to game/exploit other systems, and we consider it bad that you are not telling the truth. The proposal was always meant to be something community members could vote on, including Seed. That community members from Seed chose not to support it because they did not trust you to act honestly is a different story entirely, and is well within our rights as community members.
I even told you that you could look for support from other community members. That is well within YOUR rights as a community member, and that is what the original agreement was.
After reading all the posts on both sides, all I can say is the DAO is the rule. If the community for whatever reason lost faith xDaiFandom and did not support the proposal, they were free to do as well as he is free to believe they are not fair. At the end of the day, this is what the DAO governance mechanisms are for. It is good for the rest of the community to know the story but to me personally, the story is over. I may have my personal opinion on things as if the amount was too much or if xDaiFandom or the rest of the team acted honestly, they are just personal opinions. End of the story.
I see you haven’t looked into the accusations about me manipulating other systems such as Pollen or xDai faucet, because I provided every detail from Blockscout to Discord DMs to prove otherwise.
Either way, if anyone wants to support it, they can. It’s up to everyone individually.