AlgoGard not paying out a bug bounty after exploit was reported and aren't openly acknowledging who pointed it out

So while this doesn’t immediately affect the whole ecosystem it’s setting up a bad precedent and therefore adds risks to the whole ecosystem. The tldr is that Algogard is not paying out a bug bounty to @Swaggelwander (dev from vestige) after he reported an exploit to them because he notified the persons that made him look into it in the first place without giving context on what is wrong (aka not adding risks because they didnt know how to exploit Algogard) that they should get out of GARD. Stuff like this is why people might rather hack a protocol on Algorand in the future than reporting the exploit as the projects clearly don’t care about paying out bug bounties and why I even post this in this forum.

What is Algogard?

It is a Dapp where you can collateralize ALGOs and potentially commit them to governance and mint/borrow their stablecoin GARD which is an overcollateralized stablecoin backed by those ALGOs. You call this opening a CDP (collateral debt position). If the price of ALGO drops too much those CDPs can get liquidated via an auction on their website.

What happened?

  • people noticed that auctions wouldn’t work on algogard, an essential part of the protocol to keep it safe and GARD overcollateralized
  • @Swaggelwander read about it in a holders channel (about 50 persons) of an NFT project called Dragonfi and looked into it. He was never really interested in algogard up to this point. He then found out that the oracle wasn’t working correctly and was able to open a small undercollateralized debt position and that someone already abused this which resulted in GARD dropping as low as under 0.4 $. This could have affected not only Algogard but also Folks Finance as they allow GARD as collateral on their lending platform (they have some safety mechanisms in place like a 25k $ supply cap tho).
  • He then tried his best to notify Algogard and the Algorand Foundation so they could fix it ASAP, doing so in good faith and providing his expert diagnosis of the issue. He posted in holders channel at that time “Everyone needs to get out of GARD” without giving any context on what exactly is wrong with it, just because the people in there made him look into it in the first place. Algogard argues that this added significant risk. I disagree with that completely as we already knew that auctions weren’t working and he didn’t mention at all what the problem was with GARD that made him write that message.

Important to note that Algogard was able to fix this exploit after getting notified (they integrated the Folks Feed Oracle https://www.folksfeed.io/). The first exploiter paid back the ALGOs they made and Algogard is working on paying back the bad debt that is left but in theory the protocol is overall overcollateralized atm but there is one exploited CDP which you can see on GARD App .

Edit: To make it clear it is about Algogard not paying out a bug bounty. Algorand itself has nothing to do with it, I dont want the Foundation to step in to pay that bounty.

I wanna add that Algogard didn’t even publicly acknowledge what @Swaggelwander has done for them as their only public post about that doesn’t address it:

7 Likes

I am having problems finding an actual official bug bounty of Algogard. I should have looked for that before I posted this, that’s on me.

Rylie from Algogard said that the behavior of Erik was the only reason he didn’t get a bug bounty and that’s why I didn’t even look for it and why I still think my points about this are valid.

If Algogard doesn’t have a bug bounty program in place I see no wrongdoing here. While bug bounty programs are great, not every project can afford them or believe they are necessary.

2 Likes

I can see that to a degree. I didn’t even look for a bug bounty because Rylie from Algogard just said:

“This is incredibly risky behavior and precludes any type of bug bounty.”

So it seems to be only about the way it was handled and at the very least I would expect Algogard to publicly acknowledge it tho.