diff --git a/README.md b/README.md index 41111059..7abb5f6f 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,7 @@ Ensure you are downloading the most updated MEV-Boost release. Releases are avai clone the repository and build it: ```bash -# By default, the develop branch includes ongoing merged PRs a future release. +# By default, the develop branch includes ongoing merged PRs for a future release. git clone https://github.com/flashbots/mev-boost.git cd mev-boost diff --git a/SECURITY.md b/SECURITY.md index 69c04082..33c767d2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -29,9 +29,9 @@ the team will work on a fix. ## Bug Bounty Program -To incentive bug reports, there is a bug bounty program. You can receive a +To incentivize bug reports, there is a bug bounty program. You can receive a bounty (up to $25k USD) depending on the bug's severity. Severity is based on -impact and likelihood. If a bug is high impact but low likelihood, it will have +impact and likelihood. If a bug has a high impact but low likelihood, it will have a lower severity than a bug with a high impact and high likelihood. | Severity | Maximum | Example | diff --git a/docs/audit-20220620.md b/docs/audit-20220620.md index 39a7b630..48293ff0 100644 --- a/docs/audit-20220620.md +++ b/docs/audit-20220620.md @@ -118,9 +118,9 @@ Consider clearly documenting the expected behavior of the bls client library, th *Update: Fixed in [PR210](https://github.com/flashbots/mev-boost/pull/210)* -Even though MEV-Boost has a command line flag to set the timeout settings for the `http.Client` and that the default value is a "safe" value of two seconds, it is possible that a user sets this value to 0, disabling the client timeout and opening the door to being attacked by a malicious relayer that stalls the communication. +Even though MEV-Boost has a command line flag to set the timeout settings for the `http.Client` and the default value is a "safe" value of two seconds, it is possible that a user sets this value to 0, disabling the client timeout and opening the door to being attacked by a malicious relayer that stalls the communication. -This is specially important during [`handleGetHeader` function execution](https://github.com/flashbots/mev-boost/blob/9a701c1b4d625d2e7f83fef2971af54ca856facd/server/service.go#L233) as any of the relayers can [block the execution](https://github.com/flashbots/mev-boost/blob/c47fa3e4739cc858ce0eabbf31a2131fce96fbf6/server/service.go#L298) until every single request to the different relayers return. +This is especially important during [`handleGetHeader` function execution](https://github.com/flashbots/mev-boost/blob/9a701c1b4d625d2e7f83fef2971af54ca856facd/server/service.go#L233) as any of the relayers can [block the execution](https://github.com/flashbots/mev-boost/blob/c47fa3e4739cc858ce0eabbf31a2131fce96fbf6/server/service.go#L298) until every single request to the different relayers return. Given the [proposer boost](https://ethresear.ch/t/change-fork-choice-rule-to-mitigate-balancing-and-reorging-attacks/11127), it is recommended for validators to include the block before 4 seconds into the slot or they will be probably be reorganized out of the canonical chain.