[8note]

Doesn't it have to land in a public repo before it can be patched?

Somebody else is going to run that code publicly, and each person who runs it will find out about the patch with some time delay

[runeks]

> Doesn't it have to land in a public repo before it can be patched?

No, they could have patched the contract before publishing the commit on GitHub. Granted, an attacker could watch the chain for such "contract upgrade" transactions and attempt to front-run it, but that would be a lot harder than just discovering undeployed security patches on GitHub.

[astrange]

If it's a library normally you'd share a security patch with important customers privately, if they're otherwise going to lose $300 million. I thought this was the service's own repo though.

[kuschku]

Smart Contracts always have their source openly available on the chain, so it’s not that easy

[astrange]

But that's also the executable form of it - just patch it first, and then people can't hack it when they see fixes land in the +1 release somewhere else.

[jazzyjackson]

I could be wrong but I believe only the compiled machine code is on-chain, you don't have to publish the source

this just happens to be a project that does