In 2021 hackers made off with $14 Billion in cryptocurrency, double the 2020 figures of $7 billion. 2022 will be no different. DeFi platforms seem to have as much foundation as a Jenga game. Pull the right wooden block out, and everything might collapse. Bugs in code are widespread. Smart contracts complicate this as they can hold valuable crypto assets and are immutable. “Every crypto project is just a bug bounty project in disguise.” Duncan Townsend, CTO at Immunefi. One error can cost millions if exploited. Auditing a smart contract and bug bounty programs help mitigate these risks.
Crowdsourcing project that compensates hackers for detecting and reporting software vulnerabilities. Bounty hunters are ethical programmers, “white hat” hackers who improve the platform’s security by uncovering flaws before malicious hackers do “black hat.” Bug bounties have been around since Netscape first offered a prize for finding security flaws in their Navigator. Bug bounty programs allow hackers to report vulnerabilities in a code without fear of criminal prosecution. It gives black hat hackers a legitimate route to earning clean money and can motivate them to turn into white hats.
There is a growing necessity for bug bounties as not all developers have the skills to detect bugs and vulnerabilities. Not every project can always afford an experienced security expert on its payroll. As a result, ethical hackers receive bounties for discovering any vulnerabilities fortifying the project.
Bug Bounty Setup
Projects should define the bounty program’s scope to eliminate confusion. Projects must clarify proof of hack and how they want to receive the information. Organizations should be open about the bounty and how much they allocate to a bug depending on its severity level.
Rewards need to be proportionate. A smart contract that controls $300 million can’t offer $10,000 for finding a critical vulnerability. Paying a bounty hunter to tell you about a vulnerability might cost less than paying to get back your funds from a hacker.
Not all cases end in fruitful negotiation, but hackers made off with $8,782,446 through flash loans on Crema Finance on July 2, 2022. In the end, the team negotiated with the hackers, and they returned the stolen fund minus a bounty of $1.7 million. It’s not a standard, but projects should consider 10% of funds at risk as an appropriate starting point for a bounty. Any lower and black hats may not feel the need to go legitimate.
Projects such as MakerDAO have announced bounties of $10 million and Olympus DAO $3.3 million; bounties this significant signal that these projects take security seriously and want to prevent monetary losses. They also generate substantial interest in their protocols after the announcement. It’s an important announcement as smart contracts are hacked every week for millions. Communities form around specific objectives, and a sizable reward program can bring the right people together to push for the project’s success rocketing it into the spotlight.
Bug bounty programs signal that a project is more legitimate as it takes security seriously, and they understand safety is an ongoing process. Neglecting this can put users, partners, and the protocol at risk.
Bug bounty programs foster an environment of continuous testing. The community can test new developments added to the code base, constantly strengthening the programs.
Larges amount of white hack hackers examining the code increases the chance of finding vulnerabilities. It is essential to take bug reports seriously. Pay and fix before the bug ends up in the crosshairs of a malicious actor. Dismissing legitimate security concerns from bounty hunters could have dire results.
Experienced professionals could dedicate time to discovering a bug in an already battled tested protocol and wasting their time and effort and discovering no new vulnerability.
Time to fix the bug
Hacks can occur in the process of fixing a known issue. When vulnerabilities are detected, projects must have an action plan to avoid negative outcomes if they do not act soon enough.
Bug bounty programs are only a tiny part of the safety landscape. Projects must prioritize internal control and test their code. After that, they can consider auditing their smart contacts with AuditOne.io, a marketplace for audits. Finally, put together a bug bounty program. Hackers will try to profit from every project that has the potential to produce millions. There should be enough infrastructure to address any problems that arise. It is preferable to have hackers on your side while strengthening platform security rather than negotiating after an attack.