UPDATE: funds have been returned to the Silo team, and we cleared up any misunderstandings due to ImmuneFi's system. Appreciate the Silo team's understanding and cooperation. Let's make Arbitrum safer, together

The RAMSES team is security focused and has an extensive background in information security. When there is an opportunity to safeguard user funds/rewards from potential malicious actors, we will take the necessary steps to resolve it. In this case, our team did not get a response rapidly, thus we had to move swiftly on our own.

White-Hat Operation: Drain ALL $SILO Rewards

On July 21th, 2023 at around 00:30 UTC, RAMSES had identified a vulnerability in Silo's code which allowed any bad actor to drain ALL $SILO funds within the incentives contract (~$45,000 at time of writing). Upon this discovery, our team worked on creating an accurate Proof of Concept (POC) to report in the Silo ImmuneFi bug bounty.

After we had completed the POC and verified that draining the entire balance was possible (See screenshots of tests below) we submitted our bug report to ImmuneFi.

Our bug report was closed promptly, being deemed "out of scope.".

We made multiple efforts of replying trying to get the ticket re-opened, to no avail. (update: seems to be ImmuneFi's doing, not Silo's)

Due to the nature of the situation, we took it upon ourselves to perform a white-hat operation; draining the $SILO incentives and sending it to the RAMSES Treasury for safekeeping.

What's Next?

We are kindly asking Silo team members to reach out to us to discuss next steps to move forward. RAMSES is committed to help Silo solve this exploit, and how to prevent future issues from arising.

UPDATE:

We got in contact with the Silo team and have been discussing things over. It seems ImmuneFi might have been to blame for the communication issues. Nonetheless we are handling it. Thank you for understanding.