The bounties in crypto are so big because the math is so clear on the cost vs benefits of the bounties. Paying two million to avoid losing a billion is not a bad deal. And there just aren't enough security people yet that market forces have commoditized bounty finding.
Good companies use bounties as yet another security layer - after doing everything else, add a bug bounty!
Almost all crypto bug bounties run through Immunefi. [1] There are lots of > one million dollar bounties. You can see SEI's current bounty page here.[2] The company I work (a different company) for has a one million dollar bounty listed on immunefi.com and median response time of six hours.
Not really. Bank transactions are reversible (especially when banks themselves are affected). And if you try to wire money to your account, you will be found trivially.
Nothing is true in absolute terms but banks care about loss percentages and that’s much better in the real banking sector.
For example, the national bank of Bangladesh was compromised in 2016, believed to be a well-resourced attack by North Korea, and the attacker was able to attempt to transfer $1B. That’s about as severe as it gets, but the U.S. Federal Reserve blocked 85% of the transferred funds and of the remaining funds, all of the money sent to Sri Lanka was recovered, and they were able to recover some of the funds laundered through a corrupt bank in the Philippines whose manager was subsequently charged. About $64M was laundered through casinos which were not at the time required to follow KYC.
So, not great, but the losses are under 10% of the amount the hackers had access to and there’s still a chance of recovering the rest - that’s survivable with insurance and it’s basically the traditional finance world at its worst in terms of corruption & poor preparation. Compare it to cryptocurrency, where losses on that scale happen multiple times a year rather than once a decade, and the attackers have a much easier time laundering funds through the infrastructure setup for exactly that purpose. North Korea is getting over a billion dollars a year from cryptocurrency, which is much better than the tens of millions at greater risk they got here.
The money was only stopped at the Federal Reserve because the address used in some of the wire transactions included the word Jupiter which was a sanctioned entity at the time and the matching was sufficiently fuzzy that this was caught. That was a complete accident. It just as easily could have gone the other way. I just read a case on the layoffs subreddit where a law firm was hacked and one of their clients was tricked into wiring millions of dollars to the wrong account, resulting in the client suing the law firm for negligence and the law firm having to fire a bunch of people. One Latvian guy tricked Google and other large tech companies into wiring him a hundred million dollars total which was only recovered because he was arrested and plead guilty. Business email compromise is a huge plague on society and in many cases the recovered amount is trivial.
The only way you are recovering the bulk of losses if you don't notice the theft very quickly is if the amount is high enough that a prosecutor is interested and it hasn't all been withdrawn as cash yet.
All I was saying was that banks have a bug bounty on their head, the next person responded that bank transactions are reversible, which isn't entirely true in all cases.
I wasn't trying to compare sizes or anything like that.
Sometimes they are. There's a network of seedy international banks that scammers use to take their victims money, because otherwise the scam wouldn't work.
The scammers wire the money out of your account into a bank account they control, and then put it in another bank, and then
move it further on from there. Knowing which bank they have their account at doesn't help you avoid the problem.
> Depends, it's not clear yet that "code is law" or is not.
Aren't there quite a few cases already where attackers stealing funds from smart contracts were considered just that: thieves. And where their "code is law" defense didn't amuse the judge?
IIRC we recently even saw two sent to jail for manipulating smart contract prices: it's not even clear they used a bug in a smart contract.
I already posted it but Uncle Sam cannot have it both ways: if Uncle Sam asks people making money with cryptocurrencies to pay taxes, Uncle Sam goes after those who steal from the taxpayers. And... Oh boy, does Uncle Sam tax gains.
yes, sometimes. Its mostly the opposite of what people expect, but truth is often stranger than fiction.
The MEV and Sandwicher attackers are legal, increase the transaction costs for everyone, skim profits from everyone and annoy everyone, the exploiter of a MEV bot gets charged and convicted.
I don't have any problem with that, I've analyzed the sentiment of discussion though.
I don't think anyone got charged and said code is law. Its more about who gets charged at all.
Try thinking through other comparisons to understand the difference: if I find a bug in the power grid, how do I cash out? There aren’t many buyers, it’s really hard to move a lot of cash without getting caught, and if I use any other electronic system I have to pay a ton of money to get help laundering it because the risks are so high. Criminal outfits in Asia play games trying to get gift cards or things like that but it’s hard to scale and a lot of their dupes here get caught.
Contrast that with cryptocurrency where a bunch of VC money pumped up a market for you to launder the proceeds and the protocols are intentionally designed not to have antifraud protections. Ransomware was possible a decade earlier but the profitability went up massively once it became easy to launder millions rather than hundreds of dollars.
I have a general rule of exploit sales which nobody has shot me down on yet and I'm increasingly confident about: people are buying non-speculative outcomes. Every dorm room conversation about vulnerability valuation inevitably veers into speculation about what bank-shot outcomes a buyer might hope to achieve with a purchase. The reality is that unless the buyer is getting exactly an outcome they already planned (and, usually, have already repeatably achieved), they're not interested. Exploits have to slot into existing business processes.
This explains reliable, stealthy, zero-interaction full-chain iOS vulnerabilities, which fit into every intelligence, military, and law enforcement business process pin-compatibly. It explains browser vulnerabilities and ATO vectors.
And it also approximates the market for blockchain vulnerabilities: if the exploit is "literally transfer untraceable cash from victims to buyer", lots and lots of criminal organizations already have that business process; you probably simplify their existing repeatable process.
Blockchain vulnerabilities thus have a very credible market. As bonus: the work of discovering and POC'ing these vulnerabilities may be gnarly, but the engineering required to exploit them at scale probably isn't. It doesn't take months of R&D to make the exploit "reliable", it generates straight cash until it dies (and probably has a half-life measured in minutes), and so on.
Every lucrative class of vulnerability has some kind of story like this; they all fit into some existing, very clearly stated demand.
We get into trouble trying to generalize. All the markets are very specific; they're all sui generis. Most vulnerabilities are worth zero. There are mobile OS RCEs that are probably worth zero!
That’s a really good way to think about it. Having been security-adjacent for a long time, I definitely remember the reactions of dread which some of the earlier big vulnerabilities in things like OpenSSL got, which were never exploited at the feared scale, and that’s well explained by your theory: the NSA isn’t interested in every phone in a country, and a lot of unsexy vulnerabilities like WordPress exploits are going to be more widely attacked because people know how to make money with ad/affiliate spam, SEO, etc.
> And there just aren't enough security people yet that market forces have commoditized bounty finding.
I have the opposite conclusion there, crypto organization sponsored bug bounties are far more accurately valued than Web 2.0’s arbitrary adversarial bug bounties, and have attracted tons of developer talent to crypto bug bounties and the crypto ecosystem as a whole
Crypto bug bounties require specialized low level knowledge. Web 2 pentesting is akin to a qa checklist. Imo op is right that web2 bounties are commoditized.
More commoditized but vastly mispriced, especially consequential ones. but there are many laymen and seasoned programmers that would consider web 2 bug bounties to be very specialized, at the same time cosmos and EVMs have been around for at least 7 years now and many devs have only done that work - which is actually a problem in recruiting as many of these specialized crypto devs are quite junior
when Apple is going to fight tooth and nail to not pay you $10,000 while the black hat government contractor will pay $1,000,000 for the same exploit, the market is saying what the real price is and its at parity with what Web 3 is paying
The answer to this question is out there, but the reports are not published yet.
I caution readers to not make rash judgements on their skill like this though. These bugs are really hard to find, and it was a minor miracle that I noticed these ones at all. I actually had a whole list of critical bugs in this codebase ready to report before the V2 upgrade was merged to master (which would put it in scope for a bounty). However the auditors managed to find every single bug on my list. I only noticed the ones that eventually made it here later, by a stroke of luck, and after I had already spent a ton of time looking at this codebase without noticing them.
did you try other things like try to get employed by the team, or consider submitting an altruistic pull request? or was the bug bounty the adequate incentive from the getgo
were you being snarky about the word talent, got it, please see the forum guidelines about substantive discussion, believe it or not they apply to crypto discussion here too
1. This is really hard to enumerate. I basically am always doing recon and don't do it 1 target at a time either. I'd been looking at Sei's V2 upgrade code on and off for months, and made my report when they merged the v2 branch to master (this action put the code in-scope for a bounty). I'd found a handful of other critical bugs on the way but they were fixed eventually either in the course of normal development or audits. I definitely spent upwards of 40 very focused hrs in total investigating this codebase along with its dependencies Cosmos/Tendermint. Probably much more time less focused. Cosmos&TM are quite big. But those dependencies are used in many other projects too, so it can't be purely accounted towards time on Sei.
2. I am a very experienced security researcher/pentester/whatever we want to call it, specifically in the blockchain niche. I'm OK at the other stuff (reversing, cryptography, web, mobile, etc). Networking probably alright? I'm comfortable saying I have a good mind for security and a wide knowledge of the basics in many fields, then a very deep knowledge of a select few areas.
2. Well, I'm currently not employed full time and I do spend a lot of time bounty hunting. But I mix it in with other things as well, like competitive security reviews on https://sherlock.xyz or https://cantina.xyz and private contracted security reviews.
Typically networking. I spent some time working at a reputable firm in this space as well.
One way to do this is to show some chops on the competition sites and then move to one of the organized freelance firms like Spearbit or yAudit. In doing all of these things you'll inevitably meet more people, build a specialty, get some reputation, etc.
Did you have to specify that it was a critical bug or haggle with them? On the immunefi site, their max bounty is set at $1M but you clearly got 2x that.
I was impressed by the fast payouts. I almost couldn't believe how easy the second one was going to be, but it turned out a bit trickier than I thought. No wonder it flew under the radar.
Yeah, I think stealing that kind of money pretty much guarantees that you'll need to be paranoid for the rest of your life. I wouldn't take that for any amount.
North Korea might. Silk Road went under due to attempting to hire one.
The more likely concern is that someone will sell you out to any of the numerous governments who feel you wronged them. Leading to decades of life in prison.
I wouldn't expect there to be documented cases yet. The hypothetical case in question is a hacker taking hundreds of millions of dollars, not being caught initially, but then being caught years later. Crypto as a whole is just 15 years old, and it's only really been hot for under a decade. There have only been a handful of cases with such large dollar amounts, and most occurred in the last 5 years. And I expect most of the people who pull this off will be properly paranoid.
What sort of crime are you envisioning that exploiting this would fall under? It's not always fraud to satisfy a poorly written contract, although that is commonly the case.
Taking advantage of bad contracts can be legal depending on various nuanced circumstances. If the potential payout is lucrative, then it makes sense to consult with legal counsel first.
I am not making a judgement about this specific case.
That person committed fraud. My point wasn't even about cryptocurrency or DeFi.
Here's a simplified hypothetical example to help you understand the legal nuance: I offer all of my money to the first person that can solve 5x5, and I errantly believe that it's a difficult problem to solve.
Can you provide a more real-world example? I don't understand what point you are making, if it isn't about making money via cryptocurrency. When you say "bad contracts", I assume you are talking about smart contracts. Is that not the case?
It's up there but not singularly so. Twice there have been $10M! You can see the leaderboard where the majority of crypto bounties are represented here (https://immunefi.com/leaderboard/) but you have to search around for the actual reports.
nope, not at all! the crypto sector has been the most lucrative thing you can be doing in software for a decade straight now, especially with the lowest CapEx - AI doesn't even come close when factoring that in - bug bounties have been larger and only a subset are through these bug bounty brokers.
See. These crypto bounties pay as much or even more than big tech bug bounties.
This bounty prize is the equivalent of finding a Chrome zero day bug or an iPhone zero day RCE jailbreak. There are lots of >$1M bug bounties in crypto.
The question is, would you rather target Chrome/Safari or iPhones and find and chain-up 5 - 10 zero days for $1M+ or target crypto projects instead for $2M per project?
I’m not a crypto hater (I used to work security at coinbase) but I think that while a chrome or iPhone zeroday might be worth less in bug bounty it’s worth more for a security engineers career long term.
Having the iPhone bug and the accompanying conference talk and blog post will allow you get hired by nearly any good security or tech company. No one cares about blockchain bugs except other crypto companies. When I and a bunch of other coinbase engineers were looking for jobs we were looked down at for even working in crypto. And weren’t even in the blockchain team! Just regular engineers.
I myself have dedicated a couple of months to testing gnosis and curve that each have $2 million bounties but turned up short. Last year I switched to a ML based fuzzing research and was able to speak at defcon and got crazy offers after publication.
Serious Chrome and iPhone bug chains can be worth this much on the market, but the amount of engineering effort that goes into supporting that kind of pricing (across all the buyers, aggregated) is extreme. The subthread that unfolds from this comment is about fuzzing, but finding a vulnerability is a small part of actually selling it on the market.
Vendor bounties for these kinds of vulnerabilities are going to tend to be sharply lower than this crypto bounty, which was for a directly monetizable vulnerability. But there's a lot going into that vendor bounty price point.
Can you share more about ML based fuzzing? I do pretty basic fuzzing and that's been pretty useful at work for testing, and am keen to learn about better more modern approaches than mine!
Fuzzing is a massive field now. I don't know what you are doing specifically but this is a collection of good related papers: https://github.com/wcventure/FuzzingPaper.
I would find what is most like your problem domain and dig in :).
Well, like Soros on the Bank of England or the attack on Terra luna, you can short SEI before the attack as well.
This is actually why "proof of stake" blockchains are fundamentally flawed. They only make sense if the value of the system is denominated in the currency of the system. It's self referential and prone to negative feedback loops. They are secure because the token is expensive, the token is expensive because it provides a secure platform. Short the token, take a loan out, compromise the security, tank the value, profit. All the mechanisms to prevent that are built into the system, like delaying the validator pool entry, but the only real backstop is a hard fork and spinning up a new copy.
It was advertised in advance, but the real gamble is on if they'll pay. If you go to my other blogpost linked in OP, you can see a case where I was owed 500k and paid 60k.
You're right though that it's a lot of risk. It's not something that most of the leaderboard works full time on, though some of us do. The immunefi homepage has a list of all the bounties on offer.
Yes, that is actually worth it. This seems comparable to what a third party might pay.
I have always wondered why the payouts are capped at the trillion dollar corps at such low figures. It appears like $75k max and MS and $100k max at Apple. Meanwhile shady 3rd party groups will pay you 10x that, won't they?
Cryptocurrency bug bounty programs perhaps have an advantage in that the risks of classes of bugs are often concrete, financially quantifiable, immediate, and catastrophic. A bad RCE in a mainstream OS could do untold damage to users, reputational damage to the company, and so on, but even if severe, those risks have to be estimated. But in this case, for example, it seems like the $2m bounty was for a bug that, if exploited, would have made $1b in market cap disappear. I expect it's just much simpler to convince a skeptic businessperson when the risks are so clear.
I suppose the argument for OS makers to raise their rates might be that they are paying 10x below market rates, and the rates were set by the actual freaking market that exists.
If I was a congressional aide, I would definitely write something up about this when my boss was going to drag a Microsoft exec across the coals in public. I would imagine that billions in gov contracts are at risk for MS right now due to lax security. A $2M bug bounty could have prevented that.
Apple outbids bottom- and mid-tier buyers, and top-tier buyers are extremely finicky about what they're buying: exploits, not vulnerabilities, for reliable bugs, with a variety of additional constraints. Apple and Google will buy exploits top-tier IC buyers won't, with less negotiation and less risk.
The major parties to this market are aware of each other and are calibrating against each other; Apple and Google aren't blowing this off. It's complicated and counterintuitive in a bunch of ways.
There could also be a reverse bounty paid as a salary bonus to the devs if there is no security bug found in N months. A "code quality bonus", if you will. Though only to encourage quality control.
Intentional bug creation should probably result in firing, unless it was done under duress.
Oh yeah, the old cobra effect. However, you could only pull it off once. I am sure a postmortem of all related design and commits would be done, correct?
Also, FAANG level salaries are pretty high for anyone involved with that type of code, right?
Did they get paid 2M in USD, or did they get paid 2M in magic-bean tokens, where is so little market depth that selling 30k of it would tank the market, so they will have to bleed it out slowly and hope the price doesn't tank before they exit
Regarding the downvotes, the company says the below in their Immunefi page. It seems (as the OP responded) that they paid out differently in this case. I am unsure why that happened or if the page is outdated.
"Payouts are handled by the Sei Foundation team directly and are denominated in USD. However, payments are done in SEI." [1]
The other part of my comment is correct according to the various Immunefi listings. Again, I could be incorrect if they do something differently behind closed doors.
Projects are free to change their terms and the page you link has been updated since I submitted my reports. The maximum was lowered to $1M and payment currency changed from USDC to SEI.
Sure, but we are talking about a token that (almost) had a bug that allowed people to steal from cold-wallets. No amount of fancy words makes that concern go away.
"
Cosmos uses go panics for error handling. Transaction runs
out of gas? panic. Try to spend more coins than you have?
panic. Invalid inputs? panic.
...
For safety, later on the panic was removed entirely.
"
Next time someone suggests using panic's as exceptions in golang... I'm going to point them at a nice $75k reason not to do that.
On the blockchain, accounts have a certain amount of currency.
You can issue a command to transfer currency from your account to somebody else's, as that is a primary use case of a cryptocurrency. There was a code path where you could send someone negative amounts of the currency and it would happily pay them a negative amount of currency and charge you a negative amount of currency, thus transferring their account balance to your against their will.
There were several transfer paths and I think not all of them were vulnerable, but only one has to be. There's a bit of indirection that made it somewhat less obvious than my description makes it sound, though it amounts to the same thing in the end.
> There was a code path where you could send someone negative amounts of the currency and it would happily pay them a negative amount of currency and charge you a negative amount of currency, thus transferring their account balance to your against their will.
This is a bug I remember from the Apple II game "Taipan" (in which you play an 1800s opium-and-silk trader in East Asia). You could borrow negative amounts of money from a lender who charges extremely high interest. As a result, the lender would quickly end up owing you tremendous sums, without your having to do anything else. Wikipedia mentions this:
> Note: A bug in the original game allows the player to overpay the moneylender, acquiring "negative debt". This "negative debt" will accumulate interest very quickly, and will count towards the player's net worth. As the game's vocabulary of number words ends at "trillion", this can cause the game to display garbage instead of the player's correct net worth. This has been fixed in the online "for browsers" version of the game.
it really shouldnt be referred to as currency as a whole anymore.
well i guess anything can be a currency but its too misleading even though that was by design.
if its designed to be a stock then should be called so. poker chips? in game currency? money laundering token? reward points? purchase receipt? jpeg? just think it would help
'Token' is the generic term people have settled on. 'Currency' is rare.
A stock would be a 'tokenized equity', in the same way there's 'tokenised real estate', 'tokenised metals', 'tokenised bonds', whatever the real world asset is.
'In-game currency' is indeed used by gaming people, since that was their term from before blockchain.
Not scary at all! The nice thing about blockchain stuff is that you can safely ignore it and it will have absolutely zero impact on your life now or at any point in the future.
"Online TV" that requires payment in crypto, and doesn't take card... without more info, it's pretty safe to assume that service is not provided legally.
It may just be a matter of where they live. I got used to sending money in btc to my grandmother because the countries we live in currently happened to be at war with each other and bank transfers were not an option.
Good companies use bounties as yet another security layer - after doing everything else, add a bug bounty!
Almost all crypto bug bounties run through Immunefi. [1] There are lots of > one million dollar bounties. You can see SEI's current bounty page here.[2] The company I work (a different company) for has a one million dollar bounty listed on immunefi.com and median response time of six hours.
[1] https://immunefi.com/bug-bounty/
[2] https://immunefi.com/bug-bounty/sei/