不支持。
尽管我们必须重视并奖励白帽漏洞披露,但我无法支持当前版本的提案。提议中的800万ACA请求金额过高,尤其是漏洞根源在于Polkadot SDK,而非Acala自身的运行时代码。既然问题出现在由Parity维护的共享基础设施中,相关成本理应由Polkadot国库全额承担。Acala作为SDK的使用方,不应独自承担这项责任。建议Acala团队与Parity及Polkadot国库直接协商,在网络层面上妥善解决此事。
Fully in support of this proposal. The value at risk here (LDOT liquidity, Homa’s staked DOT, and broader ecosystem confidence) is far greater than the requested 8,000,000 ACA. For a critical, responsibly disclosed issue that has already been patched, this payout is a reasonable cost of protecting substantially larger assets. Failing to pay fairly would send a very negative signal to future white hats and could discourage responsible disclosure.
Vote: NAY
While acknowledging the importance of properly rewarding whitehat disclosures and maintaining a strong security culture, I cannot support this proposal in its current form.
The requested amount of 8,000,000 ACA is extremely high for a bug bounty and platform fee, especially considering that the root cause of the vulnerability lies within the Polkadot SDK, not in Acala's custom runtime logic. This is clearly stated in the proposal itself.
Given that the vulnerability originated in the shared SDK maintained by Parity, the responsibility for compensating the researchers and covering platform fees should rest primarily with the Polkadot Treasury, not Acala’s. At a minimum, 90% of this cost should be absorbed by Polkadot, not a parachain that is a downstream user of the affected SDK.
Additionally, the Polkadot Treasury has historically approved significantly larger sums for far less critical uses, particularly marketing efforts, while failing to directly support Acala at a comparable or proportional level—despite Acala’s strategic contributions such as LDOT and the EVM+ infrastructure.
I recommend that Acala’s governance team coordinate directly with the Polkadot Treasury and Parity to ensure that this security issue is compensated appropriately at the network level, where the root cause occurred.
This proposal should be reconsidered once a fair cost-sharing model is in place.