Due to a bug in the test dxDAO codebase reported during the bounty program, we are delaying its launch for another audit of the codebase.
On February 4th, we announced a bug bounty program for a test version of the dxDAO. We would like to share that the bug bounty was effective, and on February 8th, an anonymous report disclosed a bug in the test dxDAO codebase.
The bug allowed an attacker to delete any proposal made by the DAO before it can pass. An explanation of the bug, and the fix, can be reviewed on GitHub. A payout of 100ETH was awarded for the submission. It is important, however, to note that no bugs have been found in relation to the locking of ETH or tokens, and it does not affect the vote staking period. $100k worth of ETH has been locked and unlocked successfully without any bug reports or attackers able to steal them.
We believe smart contract security requires the utmost diligence, especially when an entire community is a stakeholder in a project. We are still fully committed to the dxDAO bringing community governance to Web 3.0, therefore we are delaying the dxDAO’s launch in order to run an additional audit on the codebase, followed by another bug bounty program.
According to our own standards of smart contract security, a change to the dxDAO smart contracts requires another vigorous process of both internal and external review. As a result, the earliest possible date for the actual launch under this process is April 15th. In light of the delayed timeline, we are choosing to postpone the Gnosis-funded DAI-ETH auctions on the DutchX trading protocol to occur closer to the dxDAO’s launch.
A great amount of effort was put into making sure the launch on the 18th would run smoothly. While that date will be postponed, we believe we achieved another goal: to draw a wider community of security researchers into examining the code base in detail.
Beyond the reported bug, we received comments and submissions that showed that various security experts thoroughly inspected the code for vulnerabilities. This involvement beyond teams and hired auditors will put the dxDAO in a much more secure position once it launches.
It’s important to us to take every precaution with respect to stakeholders’ security, and we will post confirmation of the updated roadmap and forthcoming audits on all of our public channels as soon as they are available.
For updates on the dxDAO’s timeline, join the Telegram group (https://t.me/dxDAO) or forum (https://daotalk.org/c/dx-dao).
