Hacks remain common in the crypto space, with over $320 million in digital assets lost in the first quarter of 2023. However, recent hacks proved that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug bounty program with a criminal twist.
In April alone, at least three incidents of hackers returning exploited funds were witnessed in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Similarly, lending protocol Sentiment was also able to recover almost a million dollars in stolen funds after negotiating with the hacker. More recently, the attacker who was able to take $8.9 million from the DeFi protocol SafeMoon agreed to return 80% of the funds.
While the recent hacks could’ve been avoided through safe and profitable bug bounty programs, it may be a result of bounty offers not being worth it from the perspective of a white hat or ethical hacker.
Steven Walbroehl, the co-founder of security firm Halborn, said that it’s very common for companies to refuse to pay out bug bounties and not take vulnerabilities reported very seriously. As a former bounty hunter, Walbroehl said that some bounty programs have sometimes left him “feeling cheated” out of his time. He explained that:
“Putting yourself in the shoes of a researcher, if you find an exploit that can create millions of dollars in stolen funds, but the developer is only offering a $5,000 reward, it can create a disproportionate amount of incentive to not take the bounty.”
Walbroehl also said that companies would often downplay the discoveries, saying that the bugs are not critical. Reporting bugs also sometimes leads to companies not paying up, claiming that their team has already located the bug by themselves according to Walbroehl.
Simon Zhu, the senior product director at blockchain security firm CertiK, said platforms really need to create programs that are safe and profitable for developers. While having funds returned is a win, Zhu told this would not be a welcome trend, as attackers are essentially holding the funds hostage. Zhu explained that:
“White hat bug bounty programs are clearly preferable here. Platforms that do not offer a bug bounty program allowing for the safe and profitable disclosure of vulnerabilities may find themselves paying a much higher price.”
In addition, Zhu also urged projects to change their line of thinking when it comes to vulnerabilities. According to the cybersecurity executive, some developer teams tend to ignore minor bugs when the costs of fixing the bug are high or when the smart contract becomes more complex to modify after the bug gets fixed.
However, the CertiK executive highlighted that in Web3, a minor vulnerability can become a major one overnight. “Playing chicken with user deposits is not a responsible long-term approach to security,” Zhu added.