Mean Finance: what happens after a vulnerability?
In this article we will be talking about the next steps after the last weekend’s incident. In case you've missed it, you can get up to speed reading the full write-up.
Mean Finance is paused: so, what happens now?
Well, as you might have realized, Mean is currently paused. This means that deposits are no longer allowed, and swaps cannot be executed anymore. Users can still withdraw all their funds though. Withdraws cannot be paused by design.
Now, it’s important to mention that, for security reasons, we decided to make Mean’s code immutable. This means that a new version will need to be created, re-deployed and users will need to migrate their remaining positions. We can’t do that for you.
In the meantime, you will go back to the sad old days when you had to DCA manually 😢
When will I be able to DCA again?
This incident has taught us quite a lot. First, audits firms are not enough. We had hired two different audits, and none of them had reported any critical issues. We then set up an ImmuneFi bug bounty and we got a critical vulnerability reported in less than 3 days…
We’ve also realized what an amazing community we have. The feedback we got from you all has been amazing and full of encouragement. Some of you even offered to help with the vulnerability fix ❤️
So even though we we would love to deploy the fix tomorrow and keep DCA-ing for all of you, we can’t do that in good consciousness. Our plan is to post the patched version into bug-bounty / auditing platforms like Code4rena and ImmuneFi as soon as possible, and give white hat hackers and auditors a few weeks to find any new vulnerabilities and report them.
After implementing fixes reported in the bug bounties (if there are any), we will be READY TO DEPLOY 🚀
For those with anxious hearts, we will of course be posting regular updates on how these bounties go.
But wait, one more thing …
For those who yield, infinite upside awaits