Sebastian Banescu, Poming Lee, Ed Zulkoski, Richard Ma, Julian Martinez and Krishna Sriram from Quantstamp
This IIP aims to inform the Idle community about a minor bug in Idle protocol and how the Governance can fix it.
The bug does not affect the deposited assets in Idle protocol nor the accrued yield from the underlying protocols, but only a small portion of $IDLE and $COMP.
Quantstamp reported the initial disclosure and core facts in this blog post.
An Idle community member reported to the Idle team that his $IDLE rewards were not linearly increasing as planned by the token distribution rate and that a user was taking advantage of this bug.
The team immediately contacted Quantstamp to investigate it and the company confirmed the existence of the bug and that a user was exploiting a minor misallocation of the $IDLE and $COMP distribution, getting a small extra (and illegitimate) reward.
At the time of writing, to our knowledge, the misallocated funds are about ~150 $IDLE and ~1 $COMP.
Quantstamp led the investigation and with the support of the Idle Team, we were able to set up a patch to mitigate the misallocation. The patch is already live and has been active for the past 24-hours and will remain active until the permanent fix set forth in the proposal solves the issue.
As the patch is not a permanent solution, a proposal should be voted and implemented to fix it.
The code below is the fix that needs to be applied:
At this current stage, we believe it would be better to not describe in detail the misallocation nor provide evidence about the addresses of the user. A detailed report post will be released once the bug is fixed.
To briefly summarize the changes, the main difference with the previous version is the implementation of how the governance tokens (COMP/IDLE) are allocated among users.
This fix might slightly impact the gas cost of new deposits, but it allows to have a more up-to-date allocation of governance tokens.
This IIP reflects the related on-chain Proposal, published here: https://idle.finance/#/governance/proposals/1
Governance has 3 days to cast its vote, in favor or against, and the voting phase will end at block #11477665.