Cryptocurrency startups often tout blockchain technology for its immutability and heightened security, but in spite of such claims, even distributed ledgers are prone to flaws. Just this week alone, EOS, EOS TRON, Monero, and Augur have handed out $24,500 in bug bounties to ethical hackers who found kinks in their software.
According to HackerOne data, security experts found a total of seven vulnerabilities: three in TRON, two in EOS, and one each Monero and Augur respectively. Unfortunately, most of these reports remain closed to the public, so it’s difficult to gauge how serious the issues were.
Here’s what we know though: EOS was the most generous bounty giver with a total of $12,500 in prize money, followed by Justin Sun’s TRON with $7,000, and Augur with $5,000. Monero has chosen not to disclose the size of the bounty.
Augur is the only company that has opted to make details of the vulnerabilities visible to the public. It revealed that a flaw in its network made it possible for malicious miners to manipulate gas reporting bonds and hike up the fees required for creating new markets on the platform.
“By creating a market with themselves as designated reporter and setting a very high gas price for their own block at no cost to themselves, miners can manipulate the gas reporting bond,” security researcher Edmund Edgar who found the bug explains. “An attacker can increase the gas reporting bond required to create a market arbitrarily [and] make the gas reporting bonds too high for honest users to create markets.”
The good thing is that Augur has since patched the glitch.
Augur first launched its bug bounty program back in April, putting aside $50,000 for eligible disclosures. The company has since bumped its vulnerability prize pool to $200,000.
Edgar’s report is the first one the company has deemed “high severity,” rewarding him with $5,000 for the discovery. Until yesterday, the company had handed out only two bounties, worth $100 each.
EOS, on the other hand, has a little more experience giving out bounties. Since kicking off its security report program in May, the company has dished out over $300,000 in reward money for more than 40 disclosures.
In fact, Dutch white hat hacker Guido Vranken recently scooped more than $120,000 for bugs reported to EOS. The more concerning part is that, in the following weeks, researchers kept finding more weaknesses in the system. This is in addition to the slew of problems EOS was dealing with.
It’s worth pointing out that, while vulnerabilities are never good news, bug bounty programs are put in place to encourage hackers to disclose such bugs in a responsible manner – instead of outright exploiting vulnerable systems in order to benefit from their flaws. This is ever more crucial in blockchain networks, where recorded data is immutable by default (in most cases, that is).
Indeed, chances are there are tons of blockchain companies with faulty code out there; but the reality is that ethical hackers have only a limited amount of time to look into all of them, hence the focus on inspecting software from companies with bug bounty programs.
Perhaps most striking is the example of Coinbase, which not so long ago gave out a $10,000 bounty to a security firm for unearthing a glitch in the platform that made it possible to reward yourself with practically infinite amounts of Ethereum.
This is precisely why every blockchain company should be running its own bug bounty program.
Published July 6, 2018 — 13:40 UTC