Hi all. A protocol bug was patched by the security committee, which was reported through the Livepeer Immunefi Bug Bounty program . This fix addresses a potential opportunity in which a bad actor could drain ETH from the Minter contract via a series of successive steps through multiple rounds. Due to the patch no user funds are at risk, nor was this scenario intentionally exploited on the network in the past to our knowledge. A bounty of the critical level will be paid to the reporter, and we thank the reporter for their responsible disclosure.
The patch introduces no new or changed functionality to the protocol, and the security committee took this step in line with its mandate to take defensive action in the case when user funds are at risk. The security committee will continue to monitor the protocol in the coming days post fix, and analyze the issue for any similar potential exploits, however at the time it is believed that no further action is necessary.
A more detailed post mortem will follow. Thank you once again to the reporter on behalf of the whole community!
