[Chronos Finance] [FINAL] [STIP - Round 1]

Hello! Thanks for your comment. 38% of the proposal is directed to lockers for veCHR. As i’ve noted above, we think it’s important to incentivise people with long-term goals in the ecosystem. As we are targeting growth for new protocols, they stand to benefit most from this and will drive adoption/growth for Arbitrum.

We hope delegates will appreciate that our proposal stands as one that has used real data for historical partner behaviour, DEX metrics and similar programme outcomes and has allowed us ask for the least amount of ARB to fulfil our goals whilst achieving the maximum intended impact.

Please see a summary here: https://twitter.com/_Telaga_/status/1708254934884598024

To clarify, ChronoX is based on the SYMMIO trading engine. Thena (Thena / Analytics) has a working version of this and is the same version we will launch in a few weeks time. We hope the community will support an innovative solution for on-chain derivatives that has the potential to bring significant numbers of users to Arbitrum and agree that using ARB to drive this is worthwhile.

Could you clarify which part is not allowed please? Thanks

What is the final and amended distribution for this point?
As matt has said before it cannot be used as Liquidity.

Regarding SYMMIO, I am well aware that is working elsewhere. Analytics cannot be transplanted, as it stands the product is not live and untested on Arbitrum

I will amend this section as the wording is causing confusion. To clarify, liquidity is indirectly deepened through increasing emissions that will attract more LPs to core ecosystem pools. This occurs by users voting for these pools (to direct emissions to them) because ARB bribe revenue will be on offer for them to receive.

We’re still working on the final distribution for the grant. Do you think it would be more attractive if we allocated less ARB to incentivise veCHR lockers and instead used that to provide more bribes for core ecosystem CL pools + incentivise partner bribes and liquidity deposits?
[/quote]

Ignoring the claims made by @ZIsBraindead gives the impression that you don’t even take your own bug bounty program seriously.

If his claims are true, then the next time someone finds an exploit, they have all the motivation in the world to simply steal user funds instead.
How can you ask delegates to vote for your proposal if you won’t even use your massive treasury to ensure your contracts are secure? You are putting user funds on the line here, as well as the reputations of both your own project and Arbitrum itself.

Your silence appears to speak volumes, so I hope you change your mind and address this head on.

@ZIsBraindead can you share more details about the type of exploit you found, possibly with the relevant code, and how exactly the funds could have been stolen if it were taken advantage of by a malicious actor?

How will this work exactly?
Do you have the tech ready to accommodate this?

Hello @Telaga,

Now that your application has been marked eligible, please be advised of the remaining steps in the application process to be completed prior to the Review Period Deadline:

Please complete the following steps required for your application to proceed to Snapshot:

To change your proposal to final, please tag an Arbitrum Foundation Forum Moderator (@ stonecoldpat @ cliffton.eth @ eli_defi) by the Review Period deadline to notify them of your proposal’s readiness to proceed from [Draft] to [Final] status.

Once notified, the Arbitrum Foundation Forum Moderator will adjust your title from [Draft] to [Final] status. Once marked as [FInal], your application post will be locked by moderators and you will no longer be able to edit your proposal.

Hi you may have quoted the wrong section, could you clarify this? Thank you

Thank you @Matt_StableLab will follow these steps

Update to delegates / community. Based on feedback we will be making some changes to the proposal and here is a summary for those goals:

Chronos TAG is a public infrastructure layer that will drive deeper liquidity for Arbitrum projects at the lowest possible cost. We have designed a bribe matching framework that uses ARB to match protocol bribes based on value provided to the liquidity hub (bribe value, liquidity deposited and veCHR locking). When compared to direct LP incentives, this is significantly more capital efficient as more value is generated for each $ of incentive. Through multiplied voting incentives and increasing CHR scarcity, higher available revenue emissions value will support higher TVL and deeper liquidity. Over the grant period Chronos TAG will be leveraged to achieve two objectives:

• Direct liquidity growth support for Arbitrum native projects to acheive long-lasting network adoption
• Drive volume and liquidity for ecosystem ETH/ARB pairs through our hyper-efficient CLM

This will be split into the following sections:

Partner protocol bribe / POL boost: 250,000 ARB (prev 125,000) + 2M of treasury veCHR to achieve a minimum target match rate of 40% for Arbitrum native projects

Lock boost: 75,000 ARB (prev 200,000). Through low barriers to entry, both protocols and users will be encouraged to engage in long-term network growth; this also increases LP revenue. Most importantly, protocols can access higher levels of bribe boosts that lower liquidity growth costs.

Core Ecosystem CLM pools: 100,000 ARB (previously 50,000) - ARB will be used to bribe core ETH/ARB pairs on our hyper-efficient CLM solution (data provided in final version). We show that over the grant period our CLM was most able to generate volume during periods of high and low volatility and therefore represent an attractive place for the use of ARB incentives to drive new liquidity providers, better depth for traders and volume for the network.

ChronoX - 100,000 ARB (previously 125,000). ARB will only be deliverable after the launch of ChronoX - A next-gen highly capital efficient derivatives exchange. Revenue will be used to drive LP returns denominated in CHR and to bribe core CLM pools to drive network growth. We will distribute ARB on a weekly basis to incentivise traders based on PnL to encourage organic growth (safety against wash trading).

I was referring to the veCHR locked due to revenue earned from Chronos X buybacks, how will this be distributed?

While I am all in favour of a Solidly model to get grants on Arbitrum, I do have a few concerns with the proposal which the delegates should take into consideration

• Lock Boost: While Chronos is allocating 75,000 ARB for lock bonus, this is basically giving away arb to new veCHR lockers, which does nothing but increase the value of CHR token. Basically using arb to prop up the value of CHR.
• ChronoX: I’m in favour of incentivising a perp platform built on SYMMIO tech. However, at surface level it seems the protocol is incentivising users/traders with arb to use the platform, one key thing which is not being mentioned often is, the fees from the SYMMIO platform goes to Chronos treasury and apparently Chronos will “vote” on pairs to give back emissions to users, fees don’t go to users. Regardless, this is a protocol mechanic, if they think that’s the best approach for them, so be it.

• I think its very disingenuous to say that Chronos is most attractive veToken out there while leaving out the fact that the protocol token is down 250x from its all time high, even so 35x from its initial price. While I understand in a Solidly model token price does not show the whole picture, but saying the fact that Chronos is most efficient veToken out there is a bit misleading. (At time of this writing price of CHR is $0.00987)

• Some other low-key concerns which I have are, the approach that Chronos takes against whitehat is extremely concerning. A team which raises 4MM and skims on bounties/security is highly concerning. Also the fact that Chronos had whitelisted 3-4 rug tokens on their platform is a bit of concern, shouldn’t happen that arb goes to pairs which are rug tokens. While I understand its not in Chronos’ control always to know if a token will rug or not but even after the first two tokens rugged and after a community discussion around it, nothing significant changed and another token was whitelisted which rug pulled. I understand that Chronos is not intentionally doing this, but its fairly concerning.

I think the delegates should take these factors into consideration when voting. Happy to be proven wrong though

Best

We take security and the ImmuneFi programme very seriously. We 100% support payment for whitehats. To date, we have paid ~$50,000 to reports and as you can see from the draft grant, have paid for extensive auditing of our contracts.

Would like to take the opportunity to address the misinformation re the Z bug. Firstly, we are talking about our concentrated liquidity management (CLM) pools that were recently launched at the time with $300k in TVL. The CLM was designed by both Chronos (UNIV3) + Dyson (management). We are collaborating together to provide a single solution and thus all actions relating to this were discussed and done in concert. Order of events:

1. The bug was reported to Dyson and was patched immediately; no funds were lost
2. Simultaneously Ramses publicly announce the bug not knowing if it was patched or not and asks for users to withdraw funds / revoke permissions:

They disclosed the vulnerability publicly before knowing it was 100% mitigated
Open on-chain transactions that could’ve led a malicious actor to drain funds
Performed on-chain attempts to drain funds making the operation questionworthy of it’s “whitehatness”
No chain fork on displaying it and keeping it confidential

3. This continues whilst both teams are in discussions and users are mislead

They did not follow ImmnueFi rules and acted unethically. Why Unauthorized Whitehacking Is Unethical | by Immunefi | Immunefi | Medium - no effort was made to ensure that the whitehat was ethical and to the contrary the bug was leveraged in a way that knowingly could of put user assets at risk and was designed to cause reputational damage.

Despite all this and enduring significant and unecessary reputational damage, Chronos and Dyson agreed that Z should be compensated and was paid $20,000.

You can read about the technicals here, it is the first vulnerability (Arbitrary Payload Execution), and could have resulted in the theft of user’s funds directly from their wallet if they had outstanding aprrovals to the ChronosVault contract.

I do not know @ZIsBraindead, but I can vouch for his experience, as I have experienced the same (at a lower level)

From my end, the issue lied with the front end but was still quite critical. Simply put, the front end has weird interactions with Gnosis Safe wallets. As I withdrew the assets from an LP of one of the safes I operate (a protocol treasury), the underlying assets got sent to my wallet (the signer).

This bug could have been weaponized into an attack vector, as it allowed to craft an LP withdrawal transaction on a multisig that looked just like a regular one despite sending assets to the signer wallet and not the safe itself, essentially allowing any safe-signer to rug its safe potentially.

The response from the Chronos team was unbelievably light. They categorically refused any bounty for the report. It took >1 day to get a dev answer in our private chat; however, the issue was fixed promptly after that (~2 days after the initial report).

They also mentioned a few days later that this issue was already identified thanks to another partner who suffered it (but not fixed then, WHY?!) - potentially yet another strategy to deny any payment of a bounty:

image1861×262 63.1 KB

Besides this error, the Chronos front end has been rigged with issues related to interactions with Gnosis Safes, which the Chronos team always took lightly - despite me stressing to them privately how important it is for such a type of DEX to properly support Safes, as protocols operating veNFT usually don’t do so from an EOA.

Their answer to feedback has always been pretty depressing, and they seem not to see value in it. In our chat, I’d provide detailed suggestions on how to improve the (still massively painful) experience for protocols harnessing Chronos, only to be answered with a generic message about bribes…

Hi @ZIsBraindead @ydmx @fareeha

Please see a reply below with some extra comments (was previously taken down by community?)

@ZIsBraindead we don’t disagree that the bug was there. We are thankful for you finding it, you did great work. They way that it was irresponsibly shared and used to cause damage wasn’t right (this wasn’t you). The result is that we all agreed that you should paid for your work despite the unethical approach. I want to make it clear to you that we believe you acted in the best way possible and you did nothing wrong.

We take security and the ImmuneFi programme very seriously. We 100% support payment for whitehats. To date, we have paid ~$50,000 (not including to the Z find) to reports and as you can see from the draft grant, have paid for extensive auditing of our contracts.

For reference to the events; this was about our concentrated liquidity management (CLM) pools that were recently launched at the time with $300k in TVL. The CLM was designed by both Chronos (UNIV3) + Dyson (management). We are collaborating together to provide a single solution and thus all actions relating to this were discussed and done in concert. Order of events:

1. The bug was reported to Dyson and was patched immediately; no funds were lost
2. Simultaneously Ramses publicly announces the bug not knowing if it was patched or not and asks for users to withdraw funds / revoke permissions:

They disclosed the vulnerability publicly before knowing it was 100% mitigated
Open on-chain transactions that could’ve led a malicious actor to drain funds
Performed on-chain attempts to drain funds making the operation questionworthy of it’s “whitehatness”
No chain fork on displaying it and keeping it confidential

3. This continues whilst both teams are in discussions and users are mislead

They did not follow ImmnueFi rules and acted unethically. Why Unauthorized Whitehacking Is Unethical | by Immunefi | Immunefi | Medium - no effort was made to ensure that the whitehat was ethical and to the contrary the bug was leveraged in a way that knowingly could of put user assets at risk and was designed to cause reputational damage.

Despite all this and enduring significant and unecessary reputational damage, Chronos and Dyson agreed that Z should be compensated and was paid $20,000. We think this is fair considering the circumstances.

My comments:

I find this really funny, because even if it was including my find, it would be the same figure (which cannot be verified because its private on immunefi).

This is false. The bug was patched a few minutes before the announcement by RAM SEC.

As mentioned in the article published by RAMSES, it says that ImmuneFi rejected the bug, and thus I was not subject to their rules. Frankly, it does not matter how the bug was reported, Chronos still acted disingenuously.

*Dyson paid Z $20,000. Chronos did not contribute.

Chronos has partnered with protocols that have rugged in the past i.e Goldbank (evidence attached). I would not trust the team with any sort of grant

Trying to ignore the drama between teams here, it’s really not productive.

Can you confirm the exploit itself, the risks it carried, and the time frame it was active for user funds in Chronos CL pools and in user wallets?

I can answer this for you. More in depth details are here as I mentioned above.

Risk:

Say a user with 5,000 of USDC/T approved infinite USDC and USDT to deposit 1,000 of each into a Chronos CL pool, and they do. They still have 4,000 of each in their wallet, but this is still approved to the vulnerable ChronosVault contract. An attacker could then abuse the approval and exploit the bug for that user’s $8000.

Time frame:

At most an hour or two (iirc), thanks to my quick response after finding the bug.

Thank you, that clarifies my understanding of it.

Hi @ZIsBraindead, I see so this is the misunderstanding. The total value of the offer was a joint decision from Chronos and Dyson (as I noted above) which you agreed to as compensation and were paid for the find (as you’ve said). That sum represented us both and just because it was physically sent to you from Dyson that doesn’t mean you are entitled to additional compensation. I hope we can move on and focus on the STIP.