This week we paid our first security bounty to a white hat hacker, and we were excited to pay up 🎊🤠! As protocols become more complex, security vulnerabilities continue to present themselves (also this week: Paradigm researcher samczsun discovers & helps patch 350M Sushi swap bug), and white hats are one of the best lines of defense to keep funds, projects, and users safe.
At xDai, security is the #1 priority of our team. More than fast, stable transactions, green consensus, innovative projects…. security comes first. Today close to 500 Million USD worth of assets are locked in the bridge contracts. That’s a lot of user funds, and we take serious care to ensure those funds are protected. Measures we take include:
Security Audits, and more security audits! We are currently completing our 4th security audit (Our 2nd from Chainsecurity, and 2 previous from Quantstamp) for the bridge infrastructure. The TokenBridge/OmniBridge are complex applications comprised of sub-repos, many thousands of lines of code and advanced functionality. Whenever major changes are made to the contracts we make sure a new audit is completed. It is expensive, time-consuming and absolutely necessary to protect xDai chain users. Security audit reports for bridges and other xDai relevant infrastructure like the POSDAO consensus are available to view here.
Monitoring Tools. We have a slight monitoring obsession around all of our metrics. We invest in and support tools for developers, and this includes tools we use everyday like Dune Analytics for usage stats, BlockNative to monitor the mempool, Tenderly to explore transactions and eth-netstats to check node health. One of the biggest attack vectors is the public RPC infrastructure, and we continued to optimize our monitoring tools to recognize early DDOS attack signals and intervene - minimizing impacts on chain functionality.
Bug Bounties. We set the record in March when we created a $2 Million Dollar bug bounty with Immunefi. It’s since been broken by The Graph protocol, but it is still one of the largest bounties for security researchers in the space. We are happy to pay good programmers, devs, and researchers to stress test our code and find any bugs we may have overlooked.
Our first bug bounty paid this week was a vulnerability outside of scope. All funds in the bridge were Safu, and the only funds at risk were those sent mistakenly to the AMB contract. However, we were happy to pay the USDC 5K bounty. White hat 0xadee028d had helped with a fresh set of eyes and a new perspective, and found an unimplemented safety measure. As a result, we have additional monitoring in place to help protect users who might improperly transfer funds.
We appreciate and celebrate the white hats, they are more important than ever! If you would like to throw your white hat in the ring, please visit our OmniBridge bug bounty program with Immunefi to get started and help us continue to protect the xDai chain.
Note: The xDai chain has been in production since 2018 without any major security incidents.
August 20 Weekly Highlights
Protocol
xDai’s consistent growth continues, with new ATHs achieved this week for daily transactions 397K+ and TVL locked in bridges 556M+.
Staking game mechanics were on full display this week when a lower holding candidate pool (Gimlu) was selected as a validator for Epoch 70 due to the randomness feature. Gimlu and active delegators are earning 60+% APR this week! As a result, new delegators have added a significant portion of pending STAKE to Gimlu’s node, greatly increasing the likelihood of selection next week (as well as a lower APR). Read more about Staking APR here.
Projects
A big update from Nethermind brings MEV (Miner Extractable Value - or Maximum Extractable Value as flashbots likes to call it) to xDai. This mechanism allows users to bundle transactions and send them to a private tx pool - increasing efficiency during times of high congestion and providing privacy to prevent frontrunning. The flashbots docs provide the tools to get started sending MEV bundles to xdai-relay.nethermind.io. Dark forest players are already beginning to take note! The first user-reported bundle was accepted in block 17663943.
Also of note, the latest Nethermind release v1.11.0 eliminates the pesky bug where transactions were defaulting to 20 gwei gas. No more changing gas price (or forgetting and paying 20 Gwei) to process xDai transactions 🎉
DarkForest v0.6 Round 3 is headed for an exciting conclusion and will end on Sunday, August 22, at 9AM PT / 12PM EST. We can’t wait to see who wins and unpack stats from the DF team on this latest and greatest round. For more info, read the darkforest blog and follow the action on twitter @darkforest_eth
POKT Network announced an official xDai integration. POKT node operators have been busy during the latest darkforest rounds, processing tens of millions of relays for the network while providing incentives for their decentralized operators.
Cross-chain Integrations
Several xDai integrations this week highlighted the multi-chain universe we now inhabit. Projects continue to add xDai to their curated roster of networks as cross-chain compatibility and composability becomes increasingly important.
xDai was added to the CoinBase Wallet list of available networks this week. We quickly added it as an option for users connecting their wallets to the xDai bridge.
Elk Finance added xDai to their cross-chain liquidity network which now includes 6 networks. Elk yield farming campaign will begin shortly.
Synapse Network added the xDai network to their roster of supported networks. Synapse brings multi-stage investment opportunities to users across multiple networks.
🙏 Thanks to xDai projects, users and advocates this week! We look forward to another productive week with several big updates in the works.
- The xDai Team