In April alone, at least three incidents of hackers returning exploited funds were witnessed in the decentralized finance (DeFi) space. On April 4, the Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Similarly, lending protocol Sentiment was also able to recover almost a million dollars in stolen funds after negotiating with the hacker. More recently, the attacker who was able to take $8.9 million from the DeFi protocol SafeMoon agreed to return 80% of the funds.
Hacks remain common in the crypto space, with over $320 million in digital assets lost in the first quarter of 2023. However, recent hacks proved that some exploiters are willing to return assets in exchange for a prize, a process that some describe as a bug bounty program with a criminal twist.
While the recent hacks could’ve been avoided through safe and profitable bug bounty programs, it may be a result of bounty offers not being worth it from the perspective of a white hat or ethical hacker.
Steven Walbroehl, the co-founder of security firm Halborn, said that it’s very common for companies to refuse to pay out bug bounties and not take vulnerabilities reported very seriously. As a former bounty hunter, Walbroehl said that some bounty programs have sometimes left him “feeling cheated” out of his time. He explained that:
“Putting yourself in the shoes of a researcher, if you find an exploit that can create millions of dollars in stolen funds, but the developer is only offering a $5,000 reward, it can create a disproportionate amount of incentive to not take the bounty.”
Walbroehl also said that companies would often downplay the discoveries, saying that the bugs are not critical. Reporting bugs also sometimes leads to companies not paying up, claiming that their team has already located the bug by themselves according to Walbroehl.
Related: Hacker mints 1 quadrillion yUSDT after exploiting old Yearn.finance contract
Simon Zhu, the senior product director at blockchain security firm CertiK, said platforms really need to create programs that are safe and profitable for developers. While having funds returned is a win, Zhu told Cointelegraph that this would not be a welcome trend as in this scenario, attackers are essentially holding the funds hostage. Zhu explained that:
“White hat bug bounty programs are clearly preferable here. Platforms that do not offer a bug…
Click Here to Read the Full Original Article at Cointelegraph.com News…
