HackMD
UPDATE: funds have been returned to the Silo team, and we cleared up any misunderstandings due to ImmuneFi's system. Appreciate the Silo team's understanding and cooperation. Let's make Arbitrum safer, together
The RAMSES team is security focused and has an extensive background in information security. When there is an opportunity to safeguard user funds/rewards from potential malicious actors, we will take the necessary steps to resolve it. In this case, our team did not get a response rapidly, thus we had to move swiftly on our own.
White-Hat Operation: Drain ALL $SILO Rewards
On July 21th, 2023 at around 00:30 UTC, RAMSES had identified a vulnerability in Silo's code which allowed any bad actor to drain ALL $SILO funds within the incentives contract (~$45,000 at time of writing). Upon this discovery, our team worked on creating an accurate Proof of Concept (POC) to report in the Silo ImmuneFi bug bounty.
After we had completed the POC and verified that draining the entire balance was possible (See screenshots of tests below) we submitted our bug report to ImmuneFi.
Our bug report was closed promptly, being deemed "out of scope.".
We made multiple efforts of replying trying to get the ticket re-opened, to no avail. (update: seems to be ImmuneFi's doing, not Silo's)
Due to the nature of the situation, we took it upon ourselves to perform a white-hat operation; draining the $SILO incentives and sending it to the RAMSES Treasury for safekeeping.
