-
Notifications
You must be signed in to change notification settings - Fork 11.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BreakInvariantBounty claim can be front-runned by owner #1333
Labels
Comments
Any ideas on this front? |
Merged
While considering fixes, we should keep this comment in mind. (#1356) |
|
Closing since |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BreakInvariantBounty
allows to place a bounty that can be claimed automatically if a set of invariants is broken. The Bounty contract can be destroyed by the owner to recover the money once it makes no more sense to have a bounty up for this contract. This functionality can be abused by the owner to front-run the claim by the researcher once the information for the hack has already been revealed in the blockchain.A possible fix is to create the bounty with a deadline, after which the bounty is returned to the bounty "sponsor". This gives the researcher security that they will be able to claim the bounty. There is still the problem of being front-runned by other researchers though.
The text was updated successfully, but these errors were encountered: