I’d like to echo @jayson’s sentiment and point out that Labs doesn’t have a strong opinion on the amount paid out, as long as it is not paid out using protocol reserves. That being said, we are not against a payout on the higher-end of the scale. Here are a few reasons why:
- Even though the current market configurations make the bug unprofitable to exploit, @brrito’s bug report will prevent the community from deploying new markets that could be susceptible to this bug
- Compound’s current bug bounty program does not have a clear rubric for classifying severity and payout ranges, so rounding up on the payout can set a good example for future bug reporters looking at the Compound codebase
We appreciate everyone providing their thoughts on this matter. This is a learning lesson for Labs and the community. We will work with OZ to modernize Compound’s bug bounty program, making it easier in the future for the community to classify the severity and payout of disclosures.