Hacks remain common in the crypto space, with over $320 million in digital assets lost in the first quarter of 2023. However, recent hacks have proven that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug-bounty program with a criminal twist.
In April alone, there were at least three incidents of hackers returning exploited funds in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Similarly, lending protocol Sentiment was able to recover almost $1 million in stolen funds after negotiating with its hacker. More recently, the attacker who was able to take $8.9 million from DeFi protocol SafeMoon agreed to return 80% of the funds.
While the recent hacks could’ve theoretically been avoided through safe and profitable bug-bounty programs, they may be a result of bounty offers not being worth it from the perspective of a white hat or ethical hacker.
Steven Walbroehl, the co-founder of security firm Halborn, said that it’s very common for companies to refuse to pay out bug bounties and not take vulnerabilities reported very seriously. As a former bounty hunter, Walbroehl said that some bounty programs have left him “feeling cheated” out of his time. He explained:
“Putting yourself in the shoes of a researcher, if you find an exploit that can create millions of dollars in stolen funds, but the developer is only offering a $5,000 reward, it can create a disproportionate amount of incentive to not take the bounty.”
Walbroehl also said that companies would often downplay the discoveries, saying that the bugs were not critical. Reporting bugs also sometimes leads to companies not paying up, claiming that their team has already located the bug by themselves, according to Walbroehl.
Simon Zhu, the senior product director at blockchain security firm CertiK, said platforms really need to create programs that are safe and profitable for developers. While having funds returned is a win, Zhu told Cointelegraph that this would not be a welcome trend, as attackers are essentially holding the funds hostage. Zhu explained:
“White hat bug-bounty programs are clearly preferable here. Platforms that do not offer a bug-bounty program allowing for the safe and profitable disclosure of vulnerabilities may find themselves paying a much higher price.”
In addition, Zhu also urged projects to change their line of thinking when it comes to vulnerabilities. According to the cybersecurity executive, some developer teams tend to ignore minor bugs when the costs of fixing the bug are high or when the smart contract becomes more complex to modify after the bug gets fixed.
However, the CertiK executive highlighted that in Web3, a minor vulnerability can become a major one overnight. “Playing chicken with user deposits is not a responsible long-term approach to security,” Zhu added.