As high-stakes cryptocurrency and blockchain projects proliferate and appreciate in value, it is no surprise that malicious actors have been tricked into stealing $14 billion worth of cryptocurrencies in 2021 alone. The hectic pace of cryptocurrency thefts will continue into 2022.
In January, thieves stole $30 million in currency from Crypto.com and $80 million in cryptocurrency from Qubit Finance. February kicked off with the second largest decentralized finance (DeFi) theft to date, when a hacker exploited a token exchange bridge in Wormhole to steal $320 million worth of Ethereum.
The biggest cryptocurrency hack to date occurred last August when blockchain interoperability project Poly Network suffered a hack that resulted in a loss of over $600 million. In an unusual move, Poly tried unsuccessfully to publicly negotiate a $500,000 “bug bounty” with the hacker after the theft in exchange for returning the $600 million, a bounty six times that , which is usually offered in traditional cryptocurrency bug bounty programs.
$2 million paydays set the pace
With so much money at stake, with at least $3 trillion at stake by some calculations by the end of 2021, it’s also not surprising that real bug premiums in the cryptocurrency sector are skyrocketing. A week ago, well-known white hat hacker Jay Freeman announced that he received a $2,000,042 million bug bounty from the Ethereum Layer 2 scaling project Optimism for discovering a bug that which would have allowed an attacker to print any amount of tokens.
Freeman isn’t the only one generating a $2 million payday from a cryptocurrency bounty. Gerhard Wagner reported a critical vulnerability affecting the Polygon Plasma Bridge last October, which put $850 million at risk while raking in a $2 million bounty. In December, another critical vulnerability in Polygon, putting $18 billion at risk, resulted in a $2 million bounty for white-hat Leon Spacewalker. Both bounty were paid through the Web3 bug bounty platform Immunefi.
On the same day that Freeman’s bounty was released, Ethereum-based protocol MakerDAO announced a maximum $10 million reward via Immunefi for white hat hackers who flag legitimate security threats in its smart contracts.
What is a mistake worth?
With cryptocurrency bounty in the seven and eight figures, the pressure on traditional bug bounty programs to up the ante will no doubt increase, at least in the long term, as top hackers upgrade their skills to get where the money is . “Yes, there is financial competition for talent and data, and our category needs to respond,” Casey Ellis, Bugcrowd’s CTO and founder, told CSO. “Cryptocurrency companies could be the first to succinctly answer the question ‘What’s worth a mistake?'”
Ellis adds, “In traditional markets, iOS exploits can sell for upwards of $2 million, but typically to buyers who are far more difficult to deal with and who intend to keep these vulnerabilities alive for future use.” . Seeing a well-known and reputable jailbreaker move towards the relatively easy revenues offered by the cryptocurrency boom gives you an idea of where the vulnerability data market is headed.”
“Bounty size goes up in Web2 stuff regardless of what happens in crypto,” Immunefi founder and CEO Mitchell Amador told CSO. “Everyone and their dog are digitizing their infrastructure, workflows, business logic and operations. That’s an incredible increase in attack power in a relatively short amount of time.”
The meteoric rise in cryptocurrency bug bounties will not eliminate the need for traditional bug bounty hackers, says Amador. “It will not erode the existing error base. You have these legions of hackers who have developed very profitable specific skills to track specific vulnerabilities. They will just keep going about their business.”
The best hackers will migrate to the crypto space
What could happen is that the best hackers migrate to the crypto space. “People want to crack the toughest problems in the hacking community,” says Amador. “You get a lot of prestige, a lot of influence because you can do something that no one else could. You can prove that you are the best.”
The challenge of cracking the most complex problems with the massive payouts could prove irresistible to top talent. “We’ve combined some of the toughest technical challenges in crypto along with by far the biggest payouts. It will dramatically accelerate the rate at which this top tier, this top 10% of the hacking community is migrating to crypto. You have to be an exceptionally talented person with years of education and experience to tackle these issues.”
Long-term upside pressure ‘very, very likely’.
Dane Sherrets, solution architect at HackerOne, who also runs bug bounties on the side, tells CSO, “I don’t expect any real upside pressure in the near term [as a result of the rising crypto bug bounties] but very, very likely in the long run.”
Sherrets thinks it’s important to understand why these bug bounties are so high for smart contract projects. “There is a real need for meaningful payout. Since MakerDAO has a $10 million bounty on its head, there are billions locked up, so that’s a drop in the bucket. It becomes like a marketing initiative. The bounties are so high because a strong security posture must actually exist and the strong security posture needs to be projected to engage more users. It just makes sense as it relates to how much money is in these smart contracts.”
Traditional hackers need to retool for the crypto market
According to Sherrets, the hackers who typically participate in traditional bug bounty programs currently lack the necessary skills to participate in cryptocurrency bug bounty programs. These white hat hackers need to retool their standard IT skills and learn more about cryptocurrency. “I could be one of the best web hackers in the world, but if I don’t know how an automated market maker works [a part of decentralized exchanges introduced to remove any intermediaries in the trading of cryptocurrency assets] works, if I don’t understand that as a hacker, I won’t be able to find ways to exploit that,” says Sherrets.
The bounties could reach hundreds of millions of dollars
For these reasons, it will take bug bounty hunters in the traditional space at least two years to get up to speed where they can make serious money in the crypto world. “There’s more of a learning curve than hackers just saying, ‘Okay, I want to hack Web 3.0 today,'” says Sherrets.
In the long term, “if you accept the premise that this is the future, you’re going to see a lot more people going straight into it,” says Sherrets. That’s when traditional bug bounty programs will really feel the pressure to increase their payouts to attract talented hackers.
Additionally, long-established internet companies will integrate more smart contracts and blockchain technologies into their offerings, which will spur even more hackers to enter the Web3 world. Already today, TikTok, Twitter, GameStop, and other leading technology companies are embedding Web3 capabilities such as non-fungible tokens (NFTs) into their services.
“The size of this market is basically untapped,” says Amador. “One has to consider that MakerDAO has $15 to $20 billion in its contracts today, a truly massive amount of capital, more than many countries have in their banks. Consequently, the incentive to protect is extremely high. There’s no reason to believe bug bounties won’t be in the hundreds of millions of dollars.”
Copyright © 2022 IDG Communications, Inc.