Hack negotiations: Why do platforms with ineffective bounty programs pay a higher price

In April alone, astatine slightest 3 incidents of hackers returning exploited funds were witnessed successful the decentralized concern (DeFi) space. On April 4, the Euler Finance squad was capable to recover $176.4 million aft offering the hacker 10% of the stolen funds.

Similarly, lending protocol Sentiment was besides capable to recover astir a cardinal dollars successful stolen funds aft negotiating with the hacker. More recently, the attacker who was capable to instrumentality $8.9 cardinal from the DeFi protocol SafeMoon agreed to instrumentality 80% of the funds.

Hacks stay communal successful the crypto space, with implicit $320 cardinal successful integer assets lost successful the archetypal 4th of 2023. However, caller hacks proved that immoderate exploiters are consenting to instrumentality assets successful speech for a prize, a process that immoderate picture arsenic a bug bounty programme with a transgression twist. 

Community subordinate commenting connected the caller hacks. Source: Twitter

While the caller hacks could’ve been avoided done harmless and profitable bug bounty programs, it whitethorn beryllium a effect of bounty offers not being worthy it from the position of a achromatic chapeau oregon ethical hacker.

Steven Walbroehl, the co-founder of information steadfast Halborn, said that it's precise communal for companies to garbage to wage retired bug bounties and not instrumentality vulnerabilities reported precise seriously. As a erstwhile bounty hunter, Walbroehl said that immoderate bounty programs person sometimes near him "feeling cheated" retired of his time. He explained that:

“Putting yourself successful the shoes of a researcher, if you find an exploit that tin make millions of dollars successful stolen funds, but the developer is lone offering a $5,000 reward, it tin make a disproportionate magnitude of inducement to not instrumentality the bounty.”

Walbroehl besides said that companies would often downplay the discoveries, saying that the bugs are not critical. Reporting bugs besides sometimes leads to companies not paying up, claiming that their squad has already located the bug by themselves according to Walbroehl.

Related: Hacker mints 1 quadrillion yUSDT aft exploiting aged Yearn.finance contract

Simon Zhu, the elder merchandise manager astatine blockchain information steadfast CertiK, said platforms truly request to make programs that are harmless and profitable for developers. While having funds returned is simply a win, Zhu told Cointelegraph that this would not beryllium a invited inclination arsenic successful this scenario, attackers are fundamentally holding the funds hostage. Zhu explained that:

“White chapeau bug bounty programs are intelligibly preferable here. Platforms that bash not connection a bug bounty programme allowing for the harmless and profitable disclosure of vulnerabilities whitethorn find themselves paying a overmuch higher price.”

In addition, Zhu besides urged projects to alteration their enactment of reasoning erstwhile it comes to vulnerabilities. According to the cybersecurity executive, immoderate developer teams thin to disregard insignificant bugs erstwhile the costs of fixing the bug are precocious oregon erstwhile the astute declaration becomes much analyzable to modify aft the bug gets fixed.

However, the CertiK enforcement highlighted that successful Web3, a insignificant vulnerability tin go a large 1 overnight. “Playing chickenhearted with idiosyncratic deposits is not a liable semipermanent attack to security,” Zhu added.

Magazine: US enforcement agencies are turning up the vigor connected crypto-related crime