[SECURITY COUNCIL] Disclosure of Immunefi Bug Bounty Report of September 3rd, 2025

Governance
1

The Security Council would like to bring to your attention a protocol bug that was reported by a whitehat researcher on September 3rd, 2025.

Per the Superfluid Constitution, the Security Council has an obligation to disclose such matters within 7 days of the action: “After performing any Emergency Action, the Security Council must issue a full transparency report (at an appropriate time after the security emergency has passed but in any case no longer than 7 days) to explain what was done and why such Emergency Action was justified.”

:backhand_index_pointing_right: The essential facts:

  • Funds remain secure
  • vulnerability was patched within 12 hours of the report
  • protocol v1 stability team has conducted additional code reviews for similar bugs.

Technical Summary

  • Cause: Vulnerability in GDA where a new attack vector exploits the connectPool() function on the GeneralDistributionAgreementV1 contract due to missing checks on pool contract authenticity

  • Severity: Critical - all underlying assets from all super tokens could be drained

  • Fix: Implemented proper pool contract authenticity checks across all relevant code paths and an emergency upgraded was made shortly after.

Bounty Settlement

Our active Immunefi bounty program committed 200K USDC for critical severity reports at the time of discovery. Given Superfluid’s current organizational transition, we’ve reached a preliminary agreement with the whitehat that balances our obligations with operational realities:

  • Initial payment: 60K-80K USDC (funded by Superfluid Finance LTD)

  • Extended payment: CFA stream over 12+ months (proposed by Superfluid Foundation)

  • Community support: Accepting 10K+ donations from ecosystem partners and DAO members. Please contact info@superfluid.org if you would like to help.

  • Foundation contribution: Remaining funds from operational budget with adjusted allocations

This payment structure helps manage our financial commitments while maintaining the whitehat’s continued engagement. We appreciate the researcher’s understanding and flexibility in working with us on this arrangement.

Future of Superfluid’s Immunefi Bounty Program

Our Immunefi bounty program is temporarily paused while we address two key requirements:

  1. Complete a new audit before reapplying to the Sherlock bounty program

  2. Secure initial major donors for the Community Bounty Pool before public launch. Please contact info@superfluid.org if you would like to participate.

We recognize that operating without an active bounty program is not ideal. The Superfluid Foundation is working to address this gap as quickly as possible as we continue our organizational development.

Thank you for your attention. Together, we continue working to keep our protocol secure.

11 Likes
[SIP #9] Turn ETHx and USDCx into yield for the DAO