From 64ce8a787920ba7dca7f669657d77fe4613bda3e Mon Sep 17 00:00:00 2001 From: sam bacha Date: Mon, 22 Jul 2024 18:01:29 -0700 Subject: [PATCH] docs(security): add bug bounty post mortem --- docs/flashbots-mev-boost/security.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/flashbots-mev-boost/security.md b/docs/flashbots-mev-boost/security.md index 217175a8b..e7b238a47 100644 --- a/docs/flashbots-mev-boost/security.md +++ b/docs/flashbots-mev-boost/security.md @@ -9,4 +9,8 @@ If you find a security vulnerability on this project or any other initiative rel ### Bug Bounties -- Coming soon! \ No newline at end of file +#### Post-mortem for a relay vulnerability leading to proposers falling back to local block production + +- On November 10, 2022, a vulnerability in the Flashbots relay was exploited, causing block proposers to fall back to local block production instead of MEV-Boost blocks. The issue stemmed from incorrect `timestamp` and `prev_randao` values in block builder submissions, leading to their rejection by the beacon node. The vulnerability was responsibly disclosed by the [Manifold Finance team](https://twitter.com/foldfinance), and a fix was implemented and deployed by collaborating with various security and engineering teams. The incident affected approximately 350 blocks but did not result in proposers missing slots. + +For more details, ["Post-mortem for a relay vulnerability leading to proposers falling back to local block production (Nov. 10, 2022)"](https://collective.flashbots.net/t/post-mortem-for-a-relay-vulnerability-leading-to-proposers-falling-back-to-local-block-production-nov-10-2022/727)