I wonder how their deployment system works. They should probably be deploying security patches before they land in a public repo.

Also, if it auto deploys from a git repo, then you just need a committer's git keys to exploit it. Having code auditing and multisig git tags has to be rare.

Doesn't it have to land in a public repo before it can be patched?

Somebody else is going to run that code publicly, and each person who runs it will find out about the patch with some time delay

> Doesn't it have to land in a public repo before it can be patched?

No, they could have patched the contract before publishing the commit on GitHub. Granted, an attacker could watch the chain for such "contract upgrade" transactions and attempt to front-run it, but that would be a lot harder than just discovering undeployed security patches on GitHub.

If it's a library normally you'd share a security patch with important customers privately, if they're otherwise going to lose $300 million. I thought this was the service's own repo though.

Smart Contracts always have their source openly available on the chain, so it’s not that easy

But that's also the executable form of it - just patch it first, and then people can't hack it when they see fixes land in the +1 release somewhere else.

I could be wrong but I believe only the compiled machine code is on-chain, you don't have to publish the source

this just happens to be a project that does

Yeah that definitely smells like someone was watching the commits for a security patch so that they could exploit it quickly before it deploys.