I was this morning thinking in more detail about the current excluding rules in OpenZeppelin's Bug Bounty Program. There are two items I would like to discuss in more detail and gather feedback on it. Currently, the following two items are excluded from the bug bounty program:
- Incorrect data supplied by third party oracles (not to exclude oracle manipulation/flash loan attacks)
- Basic economic governance attacks (e.g. 51% attack)
While I do understand why those are currently excluded, I still think we should incentivise the community to research these (economic) attack vectors since they can potentially have a material impact on the smart contract design pattern. For instance, oracle extractable value (OEV) can also become a critical pillar.
Most probably it could make sense to launch a separate - a more R&D-related - bug bounty program for more general economic attack vectors. This is not only relevant for OpenZeppelin but for the entire ecosystem, in particular, if we expand the scope beyond just Ethereum and cross-chain economic attacks become possible (i.e. cross-chain arbitrage).
Let me know what you think about it!