Good companies use bounties as yet another security layer - after doing everything else, add a bug bounty!
Almost all crypto bug bounties run through Immunefi. [1] There are lots of > one million dollar bounties. You can see SEI's current bounty page here.[2] The company I work (a different company) for has a one million dollar bounty listed on immunefi.com and median response time of six hours.
I have the opposite conclusion there, crypto organization sponsored bug bounties are far more accurately valued than Web 2.0’s arbitrary adversarial bug bounties, and have attracted tons of developer talent to crypto bug bounties and the crypto ecosystem as a whole
And yet: "Both issues were caught after the code had been audited, merged, and slated for release"
I wonder who did those audits?
[1] https://bittrap.com/resources/defis-growing-pains:-as-tvl-ra...
2. How extensive is your background in networking, blockchain programming and pen testing?
3. How many other bounties did you commit recon time to before the two successful disclosures?
2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.
3. Idk, a lot! Upwards of 20 for sure.
2. From your other comments elsewhere in this thread, it sounds like you are a full-time bounty hunter, correct?
2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.
There's an unofficial project that tracks bounty programs, you can see the change here: https://github.com/infosec-us-team/Immunefi-Bug-Bounty-Progr...
You can check Immunefi's Bounty-Board for reference, currently paying up to $15M per find.
Another good source is rekt.news, creating post-mortems about all the DEFI-hacks and an own leaderboard, $624M for #1.
So it is $2 million x probability payment vs $100 million x probability escape without getting caught.
Even with the threat of non-payment, not sure I could ever feel at ease with a multimillion bounty hanging over my head.
I am not making a judgement about this specific case.
This bounty prize is the equivalent of finding a Chrome zero day bug or an iPhone zero day RCE jailbreak. There are lots of >$1M bug bounties in crypto.
The question is, would you rather target Chrome/Safari or iPhones and find and chain-up 5 - 10 zero days for $1M+ or target crypto projects instead for $2M per project?
You're really missing out.
Having the iPhone bug and the accompanying conference talk and blog post will allow you get hired by nearly any good security or tech company. No one cares about blockchain bugs except other crypto companies. When I and a bunch of other coinbase engineers were looking for jobs we were looked down at for even working in crypto. And weren’t even in the blockchain team! Just regular engineers.
I myself have dedicated a couple of months to testing gnosis and curve that each have $2 million bounties but turned up short. Last year I switched to a ML based fuzzing research and was able to speak at defcon and got crazy offers after publication.
Vendor bounties for these kinds of vulnerabilities are going to tend to be sharply lower than this crypto bounty, which was for a directly monetizable vulnerability. But there's a lot going into that vendor bounty price point.
This is actually why "proof of stake" blockchains are fundamentally flawed. They only make sense if the value of the system is denominated in the currency of the system. It's self referential and prone to negative feedback loops. They are secure because the token is expensive, the token is expensive because it provides a secure platform. Short the token, take a loan out, compromise the security, tank the value, profit. All the mechanisms to prevent that are built into the system, like delaying the validator pool entry, but the only real backstop is a hard fork and spinning up a new copy.
It seems like it might be worth the gamble of taking 3-6 months off work to discover a bug of that size.
https://blog.sei.io/bug-bounty/
> Where does one go about discovering bug bounties of this size?
- SECURITY.txt for individual projects.
- https://immunefi.com for blockchain in general.
- BugCrowd and HackerOne for wider tech.
I'm an infrastructure engineer though and may not be the best person to answer.
> It seems like it might be worth the gamble of taking 3-6 months off work to discover a bug of that size.
https://www.hackerone.com/ethical-hacker/meet-six-hackers-ma...
Note: I work at a foundation for another blockchain. This doesn't affect anything I wrote above, just disclosing potential CoI.
You're right though that it's a lot of risk. It's not something that most of the leaderboard works full time on, though some of us do. The immunefi homepage has a list of all the bounties on offer.
I have always wondered why the payouts are capped at the trillion dollar corps at such low figures. It appears like $75k max and MS and $100k max at Apple. Meanwhile shady 3rd party groups will pay you 10x that, won't they?
The major parties to this market are aware of each other and are calibrating against each other; Apple and Google aren't blowing this off. It's complicated and counterintuitive in a bunch of ways.
"Payouts are handled by the Sei Foundation team directly and are denominated in USD. However, payments are done in SEI." [1]
The other part of my comment is correct according to the various Immunefi listings. Again, I could be incorrect if they do something differently behind closed doors.
"
Cosmos uses go panics for error handling. Transaction runs
out of gas? panic. Try to spend more coins than you have?
panic. Invalid inputs? panic.
...
For safety, later on the panic was removed entirely.
"
You can issue a command to transfer currency from your account to somebody else's, as that is a primary use case of a cryptocurrency. There was a code path where you could send someone negative amounts of the currency and it would happily pay them a negative amount of currency and charge you a negative amount of currency, thus transferring their account balance to your against their will.
There were several transfer paths and I think not all of them were vulnerable, but only one has to be. There's a bit of indirection that made it somewhat less obvious than my description makes it sound, though it amounts to the same thing in the end.
This is a bug I remember from the Apple II game "Taipan" (in which you play an 1800s opium-and-silk trader in East Asia). You could borrow negative amounts of money from a lender who charges extremely high interest. As a result, the lender would quickly end up owing you tremendous sums, without your having to do anything else. Wikipedia mentions this:
> Note: A bug in the original game allows the player to overpay the moneylender, acquiring "negative debt". This "negative debt" will accumulate interest very quickly, and will count towards the player's net worth. As the game's vocabulary of number words ends at "trillion", this can cause the game to display garbage instead of the player's correct net worth. This has been fixed in the online "for browsers" version of the game.
well i guess anything can be a currency but its too misleading even though that was by design.
if its designed to be a stock then should be called so. poker chips? in game currency? money laundering token? reward points? purchase receipt? jpeg? just think it would help