SIP-0050 - Critical Staking Vulnerablity Fix

Hello dear Sovryns.

A security researcher has reported a critical vulnerability through Sovryn’s Immunefi bug bounty program. The vulnerability allows any address to obtain arbitrarily high voting power that would result in an unfair advantage in the Bitocracy voting system. The Exchequer Multisig has paused staking to allow us to expose the vulnerability publicly and to vote on the deployment and acceptance of the fix, without putting our governance at risk in the meantime. It is important to note that this vulnerability has not been exploited on mainnet to date.

SIP-0050 introduces the fix we need to apply in order to protect the Staking contract from being exploited.

We paused the Staking contract to prevent exploit of the vulnerability while the SIP is being discussed and voted, so your funds and voting power are safe.

A draft sip: SIPS/SIP-0050.md at SIP-0050 · DistributedCollective/SIPS · GitHub
Comments, questions are welcomed either here or on GitHub.

Has this fix been audited or reviewed, and if so, by whom?

Internal review by 2 devs.

Honest question - is that enough?

Yes. The fix is pretty straightforward.

Has this update taken place and if so, when do staking rewards restart distribution as there is no change in my rewards tab and I was curious to know.

It has taken place, but the fee distribution is still stopped. We plan to reactivate it soon.

Spoiler alert. The contract was paused again.