Despite the famed immutability of blockchain technology, widespread hacks and 51 percent attacks on several cryptocurrency projects have proved the emerging sector is susceptible to flaws. This in mind, some of the largest projects have launched their bounty programs to enhance security and detect bugs, with $24,500 handed out to ethical hackers in July 2018 alone.
HackerOne Reveals Bounty Rewards
Data collated by HackerOne, a crowd-sourced ethical hacking platform, shows over $13,000 in bounty rewards paid out to three users who discovered flaws in the EOS protocol. The incentives are presumably proportional to the level of threat the bug could have caused, as two hackers received $2,500 and $500 for their efforts, while “yukichen” won $12,500.
Meanwhile, three bugs were found in blockchain-based decentralized internet platform Tron and hackers were paid amounts ranging from $500 to $6,000. However, the main page shows a “critical” bug, worth $50,000, available for troubleshooting.
Privacy coin Monero and prediction marketplace Augur were found with one bug each. While the former declined to make details of the bug public, Augur’s now-resolved bug was classified as “high severity,” with details suggesting a miner could “manipulate the gas reporting bond.”
Augur Makes Vulnerabilities Public
In this regard, Augur was the only company revealing details of the vulnerabilities. All other projects chose to withhold results.
As per details, the Augur bug made it possible for protocol manipulation which could lead to a malicious miner hiking up fees required for the creation of new prediction markets on its platform.
“By creating a market with themselves as designated reporter and setting a very high gas price for their own block at no cost to themselves, miners can manipulate the gas reporting bond. An attacker can increase the gas reporting bond required to create a market arbitrarily [and] make the gas reporting bonds too high for honest users to create markets.”
In April 2018, the prediction marketplace platform launched its first bug bounty program, announcing $50,000 reward for successful for eligible disclosures. Since the announcement, Augur has increased its vulnerability incentive to $200,000.
— Augur (@AugurProject) July 2, 2018
If the HackerOne reports are to be considered, Edgar’s debugging was the only one classified as “high severity,” with a couple of previous instances termed “low” and worth $100 each. In any case, the high scrutiny on security within the Augur team is indicative of project’s priorities.
Following their mainnet launch on July 9, 2018, any undiscovered bugs in their network will be amplified a degree. As such, when the founders began tackling the prediction market and Augur’s brand of smart contracts, Joey Krug and Jack Peterson have taken their time to get it right. The additional incentive of $200,000 for interested ethical hackers has hopefully helped battle-test the technology before the launch.
Security Concerns in Cryptocurrency Projects
EOS gave out the most in prize money to ethical hackers, with $12,500 given in July 2018, and over $100,000 in the first half of 2018. Tron gave out $7,000, Augur with $5,000, and Monero chose to retain its anonymous ethos by not revealing the bug bounties at all.
Hacker Guido Vranken recently made over $120,000 for debugging flaws in the EOS protocol. Interestingly, Vranken’s team reported several other errors in the system, which EOS has not made public yet. For a protocol worth over $4 billion, according to market cap, EOS seems to have serious bug errors and an absence of a full-time security team.
Several other reports suggest cryptocurrency projects lack basic protocol security. The sector remains unregulated, which equates to an absence of mandatory third-party protocol audits: A major feature of any industry worth hundreds of billions.