Idle Treasury League
This proposal aims to refund $25k in $IDLE to Enzyme Finance for the bug bounty paid to the reporter of a potential vulnerability in our partners’ integrations. This proposal represents a sign of cooperation and gratitude for their professionalism and responsiveness in promptly communicating that potential issue.
On November 18th, the Enzyme Finance team notified us regarding a potential vulnerability that was affecting their integration with Idle Protocol. As reported in the Medium article, this vulnerability could have put funds of Idle Protocol’s integrators at risk.
Enzyme has an active bug bounty program launched on Immunefi. Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. All payouts are done by the Enzyme Finance team directly and are denominated in USD. Payouts are done in USDC up to $400,000.
The final reward amount for critical smart contract vulnerabilities is capped at 10% of the funds at risk based on the vulnerability reported. In this case, the issue would have impacted 3 vaults on Enzyme and up to $400k worth of funds.
Due to the quality and professionalism of the report and the potential/scope of the issue as well, they found it inappropriate to pay out less than their “high” tier ($80k). For this reason, Enzyme rewarded the bug hunter with $90k.
Following this payout, Idle Leagues proposes to indemnify Enzyme with 6250 $IDLE ($25k using 20-day average rate).
- Send 6250 $IDLE from Ecosystem Fund to Enzyme wallet: 1 action
We are going to leave this thread open for comments regarding this proposal, and in about 48hrs, if there are no objections, we will proceed with the Temperature Check.