Proposal “vulnerability-disclosure-compensation“ (Active)Back

Title:Critical vulnerabilities disclosure and independant security contribution
Owner:DeltaXV
Monthly amount: 200 DASH (7135 USD)
Completed payments: no payments occurred yet (2 month remaining)
Payment start/end: 2026-07-07 / 2026-09-04 (added on 2026-07-06)
Final voting deadline: in 1 month
Votes: 0 Yes / 0 No / 0 Abstain
Will be funded: No. This proposal needs additional 310 Yes votes to become funded.
Manually vote on this proposal (DashCore - Tools - Debugconsole):
gobject vote-many 74502da7c676af03049687172b9b1ea14315ff5d1585b77ed67752776af63762 funding yes

Please login or create a new DashCentral account for comfortable one button voting!

Proposal description

Hi everyone, I'm DeltaXV a blockchain security researcher and whitehat. You can find me on X (@deltaxv_) and Github (@DeltaXV).
During the month of June 2026, I have uncovered 3 different critical severity vulnerabilities, that would have led to major impact on the Dash network and Master nodes. 


My contribution is as follows:

1. Dash core does not track the EvoNode platformNodeID in its mempool.
- Summary: This would have allowed an attacker to cause a network-wide block production halt with 2 `ProRegTx`-type transactions. 
- Severity: Critical
- Recovery: Recovery would have taken +24h, the chain simply stops producing blocks and no user transactions can be included with no logs or error. Even on a restart, both poison txs are reloaded from `mempool.dat` and broadcasted to the whole network, so the halt just resumes.
- Patch: fix: don't let 2 protx with the same platform-id to be presented in mempool (Commit 78b8274)

2. Dash Core masternode remote crash via QSIGSHARESINV OOM (Out-Of-Memory)
- Summary: An attacker being an unauthenticated peer with a single crafted 3 MB message forces ~1.5 TB of memory allocation on any masternode, causing an immediate OOM kill (SIGKILL). Through this OOM issue an attacker can then do the double spend attack via a very easy 51% attack and reorgs, with carefully targeted MNs
- Severity: Critical
- Fix: fix: early bail-out for huge QSIGSHARESINV and QGETSIGSHARES (Commit 3426458)

3. Dash Core remote crash via out-of-range versionBit in MNHF transaction
- Summary: An attacker can remotely crash with a single crafted transaction with versionBit >= 29 crashes any Dash node that attempts to validate it basically the whole network would crash.
- Severity: Critical
- Note: This was also discovered upstream by the dash core team
- Fix: perf: avoid re-validation of ehf signals during block-connect (Commit 54187cd).


Currently:

All patches have been implemented in Dash core 23.1.4 couple weeks ago. Thanks to PastaPastaPasta and quantum_explorer for their assistance during the bug report submission. 

Compensation and what's next?

As compensation for these vulnerabilities and security contribution for the Dash ecosystem and MNs. 200 DASH per month during 2 superblocks, which covers these critical impact security contribution and frequent security reviews with coordination with the dash core team for disclosing critical vulnerabilies. As soon this proposal passes this will allow me to be rewarded for my discoveries and commit more time into reviewing the dash core implementation.

Show full description ...

Discussion: Should we fund this proposal?

Submit comment
 
1 point,1 hour ago
I would like to acknowledge and confirm that DeltaXV did indeed find a critical vulnerability and I do think he should be compensated for this because he did put effort into finding the issue. As Pasta said I also do believe we would have found it internally as a simple AI audit on that specific section also found it. We were auditing things internally but we were going section by section as far as I understand and he found something first. As AI is increasing at a rapid pace we were forced to suspend our bug bounty program for now as the amount of people finding issues through AI increased.

I honestly don't know what to say about this proposal. I offered the security researcher 2000$ even though our bug bounty program is stopped, but he didn't think it was a correct amount for the severity of the issue. If it had been in the before AI times I think this would have warranted around 20k USD. But we are not in the before AI times. We are in the AI times.

In the end he is asking for 400 Dash. There are a lot of factors at play in order to figure out if it's worth that much. I had told the PO I would support the proposal if it was less. I told him "if it’s 100 dash I will support it. At 150 dash you will get some support, I won’t go out of my way, but I would vote for that myself." He decided to go for 200 Dash. I might still vote for it, but it really depends on what else there is to vote for in this cycle. I do want DeltaXV to be compensated for his work. I'm guessing that he spent at least a few days on this.
Reply
0 points,2 hours ago
Hey all,

I can confirm that around June 8, this researcher reached out to me on Discord and raised a vulnerability of concern. After that initial contact, we ran additional automated and AI-assisted security audits, which identified a number of issues. I asked the researcher to encrypt and send over their full report.

At approximately the same time that the researcher shared their initial report, covering what is listed here as Issue 1, one of our developers independently identified the same issue using Codex.

We confirmed Issue 1 and began additional rounds of internal investigation on June 8 and 9.

On June 11, we began preparing the v23.1.4 release.

Around June 13, the researcher shared additional reports, including Issues 2 and 3 listed here. Both of those issues had already been identified internally during the audits that started on June 8, and fixes for both were already implemented or in progress by that time.

The researcher did real work and independently identified these issues. I do want to acknowledge that. Our internal work was done privately before the release of v23.1.4 to minimize the risk of exploitation. However, after the researcher's early message that "yes the chain can be instantly halted in 2 Txs. tested locally against a local node", we had enough signal to begin the investigation that led to the fixes. With or without the later reports, the fixes delivered in v23.1.4 would have been the same.

v23.1.4 was publicly released on June 18, and early versions were deployed as early as June 14.

As many people who have been around for a while know, some of my earliest compensation from Dash was related to bug bounties. I think bug bounties can be valuable tools for encouraging and rewarding serious work put into finding vulnerabilities.

That said, I think the value in this specific case is hard to assess. In the age of AI-assisted auditing, identifying vulnerabilities can sometimes require substantially less human effort than it historically did, and it is not really possible for us to independently measure how much human effort went into this particular work.

While the researcher did independently identify Issues 2 and 3, I do not think those reports provided much additional value to the project, since both issues were already known to us and actively being fixed at the time. I do believe the initial message regarding Issue 1 was valuable, because it helped direct us toward an issue that we confirmed and fixed.

In total, the researcher is asking for approximately 14k USD / 400 Dash. Annualized, that would be roughly equivalent to an 85k USD full-time salary. I do not think paying this amount is strictly necessary, but I also would not say it would be a complete waste. There is real value in encouraging responsible vulnerability disclosure.

Since v23.1.4, we have also shipped v23.1.7, which fixed a number of high and critical severity issues. Most of those were found by core developers, and at least one was found by a different external security researcher.

Overall, I do believe some compensation for responsibly disclosed vulnerabilities is valuable. However, for the past few months, DCG had inactivated its bug bounty program due to the volume of improper or low-quality submissions. As a result, submitting a proposal is currently the only practical option available to people who believe they have earned compensation for vulnerability research.
Reply
0 points,1 hour ago
Hi Pasta, thanks for the feedback.

I have reviewed the code without having previous knownledge about the private fixes or any internal review. As an external researcher/individual this matters. Issue 1 was I believe directly prompted by an engineer through the 2 tx stage attack provided in the discord chat allowing codex to follow the trail, which I think is too short to be considered as being independantly found. The other bugs might have been found ealier, but I can't assume such thing and I had to privately disclose them anyway as being unique bugs without prior knowledge.

To address the AI side. As of now, there's no single AI model that can guarentee a bug free codebase, it is an impossibility in fact. AI is becoming drastically efficient as "a tool", like you've clarified. Nonetheless some vulnerabilities will simply persist despite the amount of token that can be burnt. In fact the framing of "let's just trust AI" in this industry is very dangerous and could backfire. Unfortunately, there are many malicious threat actors some are state sponsored (Lazarus, etc) that have virtually unlimited ressources and incentive to spend time and money to achieve their end goal. Protocol like Thorchain are such example of dishonest and hostile team towards security researchers and bug bounty hunters - https://x.com/QED_Audit/status/2061635604840849728?s=20 which led to multiple exploits recently against their blockchain and native DEX - https://blog.thorchain.org/thorchain-exploit-report-1 .

However in the case of dash, I would understand the reasons behind the "bug bounty program" termination. AI slop has became a pain in the ass for honest protocols and security researchers. But ultimately, if the goal is to attract honest actors some sort of incentive has to remain to make sure the code is being reviewed by whitehats. There are some great talents out there that if incentivized would make sure to catch whatever is left. Ultimately the goal is improve the process and mitigate this AI slop spammers trend with automated tools. These critical security contribution, are crucial for this ecosystem (network, users, MN, etc) legit security researcher deserves to be compensented according to their contribution.

Personally, I have directlty reported 3 critical and 1 low severity vulnerability all ended up being valid which demonstrates a 4/4 valid ratio and 100% accuracy, regardless of what could have been found internally these issues were live during years and exploitable on mainnet.

Regarding the proposal, I'm requesting a simple compensation for the security contribution. And in fact, the reason I have requested a 2 times budget was to allocate more time reviewing dash core implementation and directly privately disclose the finding with no "bug bounty request". Having proved my valid ratio, I believe it's a win win proposal for the whole network.
Reply