8/25/2022
A smart contract bug in the Livepeer protocol was recently brought to the security committee’s attention by a whitehat hacker through Livepeer’s Immunefi Bug Bounty program. A fix has been deployed for this bug, and it is no longer exploitable.
The deployment of this bug fix is a part of the governance failsafe procedure described here [1].
Until this fix was deployed, user funds could be temporarily frozen but not withdrawn via a manipulation within the internal bonding functions of the protocol. The mitigation for the bug was to deploy a minor change to the BondingManager contract that corrects the internal logic of the bonding mechanisms to prevent delegators from manipulating their stake in an undesired manner.
In the interest of full transparency, a public report and retrospective on the bug will be published after completing a thorough internal investigation. It will cover the bug, potential attack vectors, the fix that has been deployed, and takeaways that can be used to improve processes in the future. Although funds were not at risk of theft, this was still a notable vulnerability and we are indebted to the work of the whitehat who reported the bug via Livepeer’s bounty program.
With the fix in place it is believed that no user funds are currently at risk of theft or freezing.