Ignored bounty disclosure

Stake DAO's assessment for RD-F-008 — scored green on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

No post-mortem evidence of a disclosed vulnerability that was reported and ignored before exploit. The Nov 2023 sdCAKE incident (~$4K) was an implementation-error (wrong LiquidityGauge deployed), not a received-but-ignored disclosure. The March 2026 Votemarket peripheral oracle exploit ($176K) was patched promptly with treasury reimbursement. The Votemarket whitehat report was paid as a bounty. No ignored-disclosure pattern.

Sources #

GitHub
Stake DAO Security Disclosure Nov 2023sdCAKE disclosure 2023-11-29 — implementation-error, not disclosure-ignoredretrieved 2026-05-16
URL
Stake DAO Votemarket Exploit AnnouncementVotemarket oracle exploit March 2026 — patched same-day, treasury reimbursementretrieved 2026-05-16

Methodology #

Determine whether any prior post-mortem documents a disclosed vulnerability that was reported to the team and not actioned before exploit.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol stake-dao factor RD-F-008 score green collected_at 2026-05-16 12:29:20