Gov Tokens Allocation Fix in Idle
On December 14th, a minor bug in the governance tokens distribution module in Idle protocol was reported.
The incident does not involve any deposited funds in Idle protocol (Best-Yield or Risk-Adjusted strategies) nor the accrued yield provided by the underlying protocols.
Governance tokens distribution ($IDLE and $COMP) is affected by the bug under specific circumstances, hence resulting in a misallocation of a small number of tokens to liquidity providers. According to the initial assessment, approximately ~150 IDLE and ~1 COMP have been misallocated since the launch of Idle Governance.
The bug has already been mitigated by a joint effort with Quantstamp and Idle team members, and Quantstamp has proposed a patch via a governance proposal, IIP-1. For security reasons, Quantstamp and the Idle team will fully disclose the bug once the on-chain proposal is implemented.
- Assets are not at risk and never have been
- Idle protocol continues its operations and is not paused, you can deposit/withdraw assets anytime, everything is working as expected
- Idle protocol’s contracts can be upgraded on-chain via community governance, so there is no need to withdraw assets or move them to new contracts
- The patch is already running and mitigates possible future issues
- The on-chain proposal will permanently fix the issue (expected implementation in 5 days)
Quantstamp collaborated with the Idle team to investigate this inquiry, identifying the vulnerability and working on both the temporary mitigation patch and the final proposal.
The on-chain proposal, IIP-1, launched by Quantstamp is available here.
Idle Governance has 3 days to cast its vote, in favor or against it. If the “For” vote wins and 4% of IDLE tokens have casted a vote, IIP 1 will be implemented after 2 days (grace period).