This article was published on December 30, 2018

Hackers pocketed $878,000 from cryptocurrency bug bounties in 2018

Security researchers are picking apart the blockchain


Hackers pocketed $878,000 from cryptocurrency bug bounties in 2018

While hardcore cryptocurrency enthusiasts often tout blockchain for its heightened security, the technology is not perfect – and there are often tons of vulnerabilities in the code. Indeed, blockchain companies have received at least 3,000 vulnerability reports in 2018 alone.

According to stats from breach disclosure platform HackerOne, blockchain companies awarded $878,504 in bug bounties to hackers this year. The data was compiled in mid-December. By contrast, the total sum of bug bounties awarded by August was $600,000.

With $534,500 awarded, EOS creator Block.one accounts for more than 60 percent of all bounties handed out in 2018.

Here is the top three all-time chart when it comes to bug bounty rewards (please note this includes bounties from before 2018):

  • Block.one – $534,500
  • Coinbase – $290,381
  • TRON – $76,200

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

While cryptocurrency exchange desk Coinbase comes in second (with $290,381 in bug bounties), it’s been running a disclosure program since 2014. Block.one launched its disclosure program for EOS at the end of May. Shortly after that, one single hacker claimed $120,000 in bug bounties from Block.one in less than a week.

“Nearly 4 percent of all bounties awarded on HackerOne in 2018 were from blockchain and cryptocurrency companies,” a HackerOne spokesperson told Hard Fork.

Still, it seems blockchain companies remunerate hackers slightly better than other industries on HackerOne.

“The average bounty for all blockchain companies in 2018 was $1490, that is higher than the Q4 platform average of around $900.” the spokesperson added. “One of the top paid crypto hackers earned 7X the median software engineer salary in their country respectively.”

The blockchain bug problem is bigger than it seems

HackerOne told Hard Fork there are currently 64 blockchain companies on its platform at present. For context, there are more than 2,000 various cryptocurrency companies out there. This means the real number of vulnerabilities is likely significantly higher.

Just keep in mind that researchers found crippling vulnerabilities in both Bitcoin and Bitcoin Cash this year – the former of which is blockchain’s oldest and most well-established protocol out there. Earlier this year, reports suggested there were more than 34,000 vulnerable smart contracts in Ethereum-based projects alone.

Due to its immutability aspects, the severity of vulnerabilities on the blockchain is much more serious than in other centralized technologies, since there is no way of reversing transactions (unless we’re talking about EOS or other systems with built-in backdoors).

So if you were thinking about betting on blockchain to keep your funds safe, you might want to measure the risk.

In the meantime, Augur’s $200,000 bounty for critical issues is still up for grabs. You can take a dig at it here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with


Published
Back to top