Bug Bounty for Exploit in token-sale contract

I will skip the introduction, as I already wrote about the incident on twitter:

The Mango DAO should award the Neodyme team with a symbolic sum of $10,000 in USDC from the Insurance Fund for finding this bug.


I agree, and will vote yes with my paltry sum of mango tokens!

+1 (post has to be 20 characters)


I fully support rewarding them for such responsible disclosure.

I think it should be larger. Maybe 100k MNGO or 38k USDC.

At the time they disclosed this bug to us, there were only 405k MNGO (about $150k) that was at stake. But if the bug was found by a blackhat and exploited at the best possible time, the losses could have been 70m. I’m not sure how to weigh these two facts, but they both seem relevant. But erring on the side of generosity on the bug bounties encourages 1. whitehats to spend time finding bugs and 2. blackhats to choose prosocial and clean earnings over dirty earnings


a healthy bounty of 100,000-200,000 MNGO would send the right message to future hackers who find exploits within Mango ecosystem that by responsibly disclosing they would be reasonably reimbursed

1 Like

While on the topic of sending the right message, I’d prefer to do so explicitly rather than implicitly by announcing tiered bug bounties going up to (say) $1m for Mango v3. Let’s not repeat ThorChain’s mistakes.

As for this reward size, $38k in USDC seems reasonable to me. Paying in USDC from the insurance fund seems more appropriate than in MNGO.


ok. no problem
Thank you our protector!!!

100k MNGO or equivalent USDC, their choice, seems like a very reasonable reward.

Agreed that tiered bug bounties would send the right message.