A web3 membership designed to empower you with cutting-edge insights and knowledge. Learn more ›
Welcome! 👋 You are connected to CryptoSlate Alpha. To manage your wallet connection, click the button below.
If you don’t have enough, buy ACS on the following exchanges:
Access Protocol is a web3 monetization paywall. When users stake ACS, they can access paywalled content. Learn more ›
Disclaimer: By choosing to lock your ACS tokens with CryptoSlate, you accept and recognize that you will be bound by the terms and conditions of your third-party digital wallet provider, as well as any applicable terms and conditions of the Access Foundation. CryptoSlate shall have no responsibility or liability with regard to the provision, access, use, locking, security, integrity, value, or legal status of your ACS Tokens or your digital wallet, including any losses associated with your ACS tokens. It is solely your responsibility to assume the risks associated with locking your ACS tokens with CryptoSlate. For more information, visit our terms page.
The global crypto market cap is $1.07 trillion with a 24-hour volume of $63.97 billion. The price of Bitcoin is $26,779.66 and BTC market dominance is 48.7%. The price of Ethereum is $1,694.61 and ETH market dominance is 19.0%. The best performing cryptoasset sector is Marketplace, which gained 229%.
Lack of accountability in DeFi bug bounty programs amplifies the need for transparency and trust.
Cover art/illustration via CryptoSlate
The crypto community is grappling with issues surrounding bug bounty programs, a crucial mechanism for discovering and addressing system vulnerabilities.
Usmann Khan, a web3 security auditor, posted on Aug. 17, “Remember that projects can simply not pay, whitehat,” with a screenshot of a message from Immunefi indicating a project had been removed from its bug bounty problem for failure to pay a minimum of $500,000 in bounties.
In response, security researcher Marc Weiss shared the ‘Bug Bounty Wall of Shame’ (BBWoS), a list documenting unpaid rewards allegedly owed to white hat hackers in web3. The data from BBWoS appears to signal a significant lack of accountability and trust within the crypto ecosystem that cannot be ignored.
The BBWoS indicates that a bug bounty for the Arbitrum exploit of Sep. 2022 had a $2 million reward. Yet, the white hate was awarded just $780,000 for identifying an exploit that exposed over $680 million.
Further, BBWoS states the CRV borrowing/lending exploit on Aave from Nov. 2022 led to the loss of $1.5 million, with $40 million at risk, and no bounty was paid to the white hat who identified the attack path “days before.”
Lastly, in April this year, just $500 was paid to a white hat who reportedly identified a way for managers to steal up to $14 million worth of “tokens from users using malicious swap paths” after being told by dHEDGE that the issue was “well-known.”
The list was created by whitehat hackers “tired of spending sleepless nights finding bugs in protocols only to have a payout of $500 when the economic damage totals in the millions,” with the creator stating,
“I created this leaderboard to help inform the security community as to the projects that don’t take security seriously so we can avoid them and spend time on the projects that do.”
In his presentation at the DeFi Security Summit in July, Weiss highlighted auditors’ critical role at various stages of protocol development. By integrating auditors and researchers in-house, he stressed their potential to make insightful architectural decisions, design effective codebases, and adopt a security-focused approach to protocol development.
Consequently, it is concerning when platforms fail to acknowledge and adequately reward the efforts of these security professionals when working on a contract basis.
Auditors Gogo and MiloTruck highlighted that non-payment for identified vulnerabilities is a widespread issue. Their posts underscore the urgent need for these platforms to enhance their accountability and trustworthiness and ensure due recognition for white hat hackers.
More transparency is required in handling vulnerabilities. High-profile cases listed on BBWoS, like the compromised deposit contract of Arbitrum, the economic exploit of Aave, and the malicious swap paths in dHEDGE, amplify this need.
In response to Weiss’s issues about trust, Danny Ki from Super Protocol emphasized the potential of “decentralized confidential computing” to bolster trust in Web3 projects and mitigate vulnerabilities. Ki is referencing the option to run DeFi in Trusted Execution Environments (TEE), something inherent in Super Protocol.
A TEE is a secure area of a processor that guarantees code and data loaded inside be protected for confidentiality and integrity. However, one disadvantage of using TEEs within DeFi dApps is relying on proprietary architecture from centralized companies such as Intel, AMD, and ARM. There are efforts in the open-source community to develop open standards and implementations for TEE, such as Open-TEE and OP-TEE projects.
Ki argues that should “Web3 projects operate within confidential enclaves, there may be no need to pay out for vulnerabilities, as the security will be inherently fortified.”
While a fusion of blockchain and confidential computing could provide a formidable security layer for future projects, the move to replace bug bounties and security auditors with TEEs seems complex, to say the least.
Still, there are additional concerns for white hat hackers, such as improper bug disclosures from security firms on social media. A post from Peckshield identifying a bug in July simply said, “Hi @JPEGd_69, you may want to take a look,” with a link to an Ethereum transaction.
Gogo lambasted the post stating, “If this vulnerability were responsibly disclosed instead of exploited, PEGd’s users wouldn’t have lost $11 million, No reputational damage would have been caused, The guy would have gotten a solid bug bounty instead of been front-run by an MEV bot.”
Gogo shared their bug bounty experience with Immunefi, a company they described as ‘beyond fantastic,’ where the payout required a mediation process, eventually leading to a satisfactory payout of $5k for a critical bug.
These insights from the web3 security community underscore the critical role of auditors and the importance of effective bug bounty programs to the crypto ecosystem’s security, trust, and growth.
As some have identified, hacks are covered extensively in the news and on X, but what for those who discover the exploits and are never adequately compensated? Nearly $2.5 million in allegedly unpaid bounties is listed on BBWoS alone, yet, as Ki highlighted, could the future include a web3 that is innately secure with no need for bounties?
Also known as “Akiba,” Liam is a reporter, editor and podcast producer at CryptoSlate. He believes that decentralized technology has the potential to make widespread positive change.
CryptoSlate is a comprehensive and contextualized source for crypto news, insights, and data. Focusing on Bitcoin, macro, DeFi and AI.
CryptoSlate’s latest market report dives deep into the potential forces that will most likely keep inflation rising in the coming months.
Disclaimer: Our writers’ opinions are solely their own and do not reflect the opinion of CryptoSlate. None of the information you read on CryptoSlate should be taken as investment advice, nor does CryptoSlate endorse any project that may be mentioned or linked to in this article. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own due diligence before taking any action related to content within this article. Finally, CryptoSlate takes no responsibility should you lose money trading cryptocurrencies.
Aave is an open source and non-custodial protocol enabling the creation of money markets.
dHedge is described to be a project that focuses on non-custodial mimetic trading for synthetic assets on Ethereum.
Curve DAO (Decentralized Autonomous Organization) is a decentralized platform built on the Ethereum blockchain that aims to provide a stable and efficient market for trading stablecoins.
Onchain sleuth ZachXBT described Shibarium’s launch as sloppy.
The market’s top cryptocurrencies plunged late Thursday, triggering massive liquidations across the board.
Bitcoin price decline was attributed to macroeconomic factors.
The former U.S. President declared he earned over $4 million from his NFT adventure.
In support of Coinbase, the scholars said that an ‘investment contract’ requires a ‘contractual undertaking,’ contradicting the SEC.
Lawmakers are petitioning two major financial regulators for information concerning the relative upstart’s ability to secure its registration status.
The former U.S. President declared he earned over $4 million from his NFT adventure.
Crypto entrepreneur Sina Estavi’s effort to sell the NFT since 2022 has been futile as the once-booming market fizzles.
The Worldcoin founder is touting high adoption rates but support from on-chain data is lacking.
Disclaimer: By using this website, you agree to our Terms and Conditions and Privacy Policy. CryptoSlate has no affiliation or relationship with any coin, business, project or event unless explicitly stated otherwise. CryptoSlate is only an informational website that provides news about coins, blockchain companies, blockchain products and blockchain events. None of the information you read on CryptoSlate should be taken as investment advice. Buying and trading cryptocurrencies should be considered a high-risk activity. Please do your own diligence before making any investment decisions. CryptoSlate is not accountable, directly or indirectly, for any damage or loss incurred, alleged or otherwise, in connection to the use or reliance of any content you read on the site.
© 2023 CryptoSlate. All rights reserved. Disclaimers | Terms | Privacy
Please add “[email protected]“ to your email whitelist.
Stay connected via
source
Source: www.cryptoslate.com
