[ARC] Compensate Bug Bounty Contributor

Simple Summary

Compensate contributor for risk analysis conducted during market volatility.


On November 12, 2022, Aave contributors, including members from BGD and Gauntlet, received a message through the security email box indicating a potential risk on the REN asset. The analysis included commentary on the liquidity and manipulation risk of REN. Although this analysis did not impact the analysis of the risk contributors or proposed actions, it is well appreciated that this individual followed the standard procedures to communicate through the proper Aave channels instead of posting potentially sensitive information on Twitter or otherwise.

We hope that individuals continue to use the proper channels to communicate bugs. The community should consider rewarding this individual. As such, Gauntlet will publish a Snapshot vote requesting the Aave Grants DAO to compensate this individual 20 AAVE tokens to the address 0xF7D9c506968bFb273eF1e9183d1A94d5a7Fe9371 (contingent on Aave Grants DAO renewal AIP passing).

Next Steps

  • Initiate Snapshot vote, targeting 1/19/2023. If approved via Snapshot, Aave Grants DAO to take care of the payment, given the relatively low amount, to reduce on-chain governance overhead.

While we consider that this bounty should be paid,

My guess is that it’s up to AGD to decide if they’re the payer and not governance?


Since this would be a one time payment and is a smaller amount, AGD would be happy to make it if the community votes in support of the Snapshot as it would reduce an additional AIP for governance and delegates. While there is some precedent for AGD handling the payment of bounties with the xSUSHI incident, we would not want this to be an assumption going forward. Each bounty should be assessed individually to determine who is the best party to make the payment at the time.


Snapshot vote below:


1 Like

Following the positive Snapshot vote, a transfer of 20 AAVE to the indicated address has been completed.