Vote: **NAY**

While acknowledging the importance of properly rewarding whitehat disclosures and maintaining a strong security culture, I cannot support this proposal in its current form.

The requested amount of 8,000,000 ACA is extremely high for a bug bounty and platform fee, <ins>especially considering that the root cause of the vulnerability lies within the Polkadot SDK,</ins> not in Acala's custom runtime logic. This is clearly stated in the proposal itself.

Given that the vulnerability originated in the shared SDK maintained by Parity, the responsibility for compensating the researchers and covering platform fees should rest primarily with the Polkadot Treasury, not Acala’s. At a minimum, 90% of this cost should be absorbed by Polkadot, not a parachain that is a downstream user of the affected SDK.

Additionally, the Polkadot Treasury has historically approved significantly larger sums for far less critical uses, particularly marketing efforts, while failing to directly support Acala at a comparable or proportional level—despite Acala’s strategic contributions such as LDOT and the EVM+ infrastructure.

I recommend that Acala’s governance team coordinate directly with the Polkadot Treasury and Parity to ensure that this security issue is compensated appropriately at the network level, where the root cause occurred.

This proposal should be reconsidered once a fair cost-sharing model is in place.

不支持。
尽管我们必须重视并奖励白帽漏洞披露，但我无法支持当前版本的提案。提议中的800万ACA请求金额过高，尤其是漏洞根源在于Polkadot SDK，而非Acala自身的运行时代码。既然问题出现在由Parity维护的共享基础设施中，相关成本理应由Polkadot国库全额承担。Acala作为SDK的使用方，不应独自承担这项责任。建议Acala团队与Parity及Polkadot国库直接协商，在网络层面上妥善解决此事。

Fully in support of this proposal. The value at risk here (LDOT liquidity, Homa’s staked DOT, and broader ecosystem confidence) is far greater than the requested 8,000,000 ACA. For a critical, responsibly disclosed issue that has already been patched, this payout is a reasonable cost of protecting substantially larger assets. Failing to pay fairly would send a very negative signal to future white hats and could discourage responsible disclosure.


## Summary

This proposal, created on behalf of [@infosec_us_team](https://x.com/infosec_us_team), requests 8,000,000 ACA from the Acala Treasury as a bug bounty payment and Immunefi platform fee related to a critical vulnerability affecting LDOT. The requested funds will be used for payment to infosec_us_team and the Immunefi platform fee. The issue has already been patched in Acala in the last runtime upgrade (2320).

## Background

A critical security vulnerability was identified that could, under specific conditions, allow arbitrary minting of a small amount of LDOT. With enough repeats, it would be possible to drain liquidity from any LDOT DEX pairs. And if without further governance actions, unstake and withdraw all staked DOT by Homa protocol.

### Key points

- The root cause lies in the polkadot-sdk, not in Acala-specific logic.
- The vulnerability has been communicated to Parity under a coordinated disclosure process.
- Acala has released runtime 2320, which includes a patch that mitigates this vulnerability on Acala and Karura.
- Parity will share more technical details publicly once:
  - The underlying root cause is fully fixed in polkadot-sdk, and
  - It is verified that no live chain remains impacted.

Acala Treasury has been asked to give 8,000,000 ACA to infosec_us_team for finding a big security problem with LDOT. This problem could let someone make a small amount of LDOT and take away money from LDOT trading pairs. The team who found the problem told Parity, the company that made the software, and Acala fixed it in their last update. Parity will share more details when they know the problem is completely fixed and no other chains are affected.

#424·Bug Bounty for Critical Vulnerability

Summary

Background

Key points