Jet Protocol Upgrade Bug Patch Disclosure
On Dec 21st, we performed an ad hoc upgrade to our mainnet program that introduced a critical vulnerability that was quickly discovered and fixed within 24 hours. There was no attempt to exploit it and no loss of funds.
The bug was identified by a user on Discord (jayne) who had been reviewing the program code, who privately messaged one of our core devs with details about the issue. After we acknowledged the problem, the mainnet program was redeployed with the problematic feature disabled. The feature in question was to provide a mechanism for closing accounts, so that users could recover their rent. This introduced a bug where after closing an account, other positions a user had could have been ignored by the program, potentially allowing a user to erase their loan balance without having to actually pay it.
The user who identified and disclosed the bug was instructed to submit their finding through our bug bounty program and was awarded $75,000 via Immunefi.
To prevent this from happening in the future, we’ve improved our mainnet deployment processes. We now deploy all code changes to our devnet instance first, and undergo a two week “baking” period before the changes can be deployed to mainnet. During this period, we will invite whitehats to review the code as part of our Immunefi bug bounty program.
We are engaging another auditing firm to do additional deep code review for upcoming releases into the new year and will share official audit report results with the community as soon as they are available.
This is truly the best part about developing OSS out in the open. We are unbelievably grateful for our attentive community supporting us as we work to constantly improve the core protocol to benefit users.
Thank you,
Wil Barnes, CEO and Co-founder of Jet
Get In Touch
🌐 Visit us at JetProtocol.io 🌐
📩 Email us at hello[at]JetProtocol[dot]io 📩
💬Chat with us on Telegram or Discord 💬
🐦 Find us on Twitter — @JetProtocol 🐦
📰 Subscribe to our newsletter: https://jetprotocol.substack.com📰
