This article was published on March 14, 2019

Security researchers found over 40 bugs in blockchain platforms in 30 days

Security researchers pocketed over $20,000 for their efforts


Security researchers found over 40 bugs in blockchain platforms in 30 days

White hat hackers have found more than 40 bugs in blockchain and cryptocurrency platforms in the past 30 days, according to an investigation by Hard Fork. There is a silver lining though: none of the vulnerabilities appear to be particularly serious at first glance.

Thirteen companies dealing with cryptocurrency and blockchain tech received a total of 43 vulnerability reports in the period between February 13 and March 13, as per bug reports submitted to vulnerability disclosure platform Hacker One.

Among others, the list of affected platforms includes Coinbase, EOS issuer Block.one, Tezos, Brave, and Monero.

Who’s got the most blockchain kinks?

Esports gambling platform Unikrn (which also has its own cryptocurrency called Unikoin Gold) received the most vulnerability reports out of any company in the blockchain sector, with 12 bugs flagged via its disclosure program. OmiseGo developer Omise came in second with six received bug reports, followed by EOS with five.

Blockchain consensus protocol Tendermint received four bug reports, followed by Augur and Tezos with three each; Monero, ICON, and MyEtherWallet received two vulnerability reports each too. The remainder of vulnerabilities were found in cryptocurrency exchange Coinbase, Crypto.com, Electroneum, and Brave Software (developer of the semi-centralized “decentralized” Brave browser), each of which received one bug report.

It’s worth noting that some of these companies are only marginally involved with decentralized technology, so it’s possible some of these kinks might be unrelated to their cryptocurrency and blockchain functionalities. This appears to be the case for Brave browser.

Most generous bounty givers

Despite the high number of reported bugs, security researchers received a total of $23,675 for their efforts. For the record, seven of the 43 vulnerability reports didn’t mention the value of the bounty awarded.

For a change, EOS wasn’t the company that accounted for the biggest chunk of all bounties distributed.

Indeed, Tendermint (which will reportedly powers Binance’s decentralized exchange desk) led the chart, having handed out a total $8,500. EOS was the runner-up with $5,500 – which is a big improvement from the $120,000 it once awarded to a clever security researcher who found a series of flaws in its platform.

Despite having received 12 bug reports, Unikrn distributed a total of $1,375 in bug bounties.

What kind of bugs are we talking about?

As is often the case, most of these vulnerability reports are closed off from the public, so the details remain unknown. However, judging by the low bounties rewarded, chances are the identified flaws weren’t a huge cause for concern.

Notably, Block.one has revealed that four (out of the five) bugs it received had to do with a buffer overflow flaw, which made it possible to inject arbitrary code. All of these shortcomings have since been resolved.

Still though, EOS remains among the blockchain companies with the most received vulnerability reports – and with over $500,000 in bounties handed out, the most generous patron of security researchers.

Did you know? Hard Fork has its own stage at TNW2019, our tech conference in Amsterdam. Check it out.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with