(Disclaimer: only friendly comments/suggestions, if you don’t like it, just ignore it, thx!)
The vulnerability wasn’t severe(when reported), but(exist/obvious) if they weren’t instead of reporting, but try to attack(assuming if attack successful), then would’ve occur pretty sizable financial lost to Aave & reputation lost to Aave v3/Aave protocol/AAVE token/etc
I think the bounty should be minimum 500K:
- Comparing to the protected amount & reputation of Aave/AAVE token value/etc so much on stack, 500K is nothing
- Inspire/show future whitehat hackers that Aave pays well if they report bugs
- Financing:
- Option A : 50K from Aave DAO treasury for immediate payment as promised, and lunch a max 450K USD donation address for AAVE holders to donate/thank the Hacxyc team for protecting their token value!
- Opinion B: immediate payment of 500k from Aave DAO treasury & get 500K USD amount of reward from stAAVE pool/SM overtime to DAO treasury
- Option C: pay 50K from Aave DAO treasury, and promise to pay additional 450K in the future, whenever Aave DAO want/has more then enough liquidity on hand
Additional perks:
- If the Hacxyc team wants, delegate them X amount of AAVE, or promote them to AAVE holders to delegate, to make Hacxyc team part of Aave community
- If dev team thinks appropriate, Thank them by give Auditing order in the future
Additional suggestion:
- If possible & the community wants, I strongly suggest the Aave team to cover/delete detailed infos about the vulnerability on online(eg. twitter/Blogs/news/etc)
- Aave community should thank BGD team for their quick reaction & protecting the protocol/AAVE token holders