Ethereum offers up to $1 million in bounties for critical bug reports


Reward for White Hats valid until September 8 for vulnerabilities related to the fusion

Rashmi Ramesh (rashmiramesh_) •
August 26, 2022

Picture: Ethereum

Ethereum is offering up to $1 million in bounty to those who identify critical fusion-related vulnerabilities on its blockchain. The quadruple reward will be applicable between Wednesday and September 8.

See also: Spying on Data Sharing: A Discussion of Fraud

A “merge” is essentially a network upgrade. The process, which is expected to be completed by September 20, will move the Ethereum blockchain from proof-of-work mechanism to proof-of-stake consensus mechanism.

The consensus mechanism ensures that only genuine users are allowed to add new transactions to the blockchain. It can use two algorithms, called proof of work and proof of stake, to do this. The main difference between the two is the method they choose to determine who can add transactions to the blockchain. The first requires miners – or those who voluntarily compete to solve complex mathematical equations to “mine” cryptocurrency – to validate transactions. This process is slow, expensive, and energy-intensive, but has been tested on large-scale blockchains like Bitcoin. The latter uses validators – or computers chosen according to the number of tokens they hold – to verify transactions. This method is considered safer because validators have a vested interest in the security of the blockchain, as they have spent money to purchase a significant amount of cryptocurrency.

Proof of Stake allows more users to participate in the network consensus because a validating node can be run on a normal laptop. Proof of work requires expensive digital mining equipment. “It decentralizes the network and is arguably good for security,” Dan Sherrets, solutions architect at bug bounty platform HackerOne, told Information Security Media Group.

But Proof of Stake is also more complex and requires multiple pieces of software to work together. “It’s not necessarily bad for security per se, but it does introduce additional opportunities for bugs in the software that can create problems on the network,” he said.

Ethereum’s announcement of large bounties for white hat hackers finding critical bugs is not unprecedented. Axie Infinity launched a bug bounty program, offering bounties of up to $1 million after hackers drained over $600 million from the Ronin company’s Ethereum sidechain. Dawn paid a $6 million white hat bounty for reporting a critical vulnerability that could have caused approximately $300 million in losses to the company.

Premium and risks related to the merger

Ethereum did not respond to ISMG’s request for more details on what defines a merge-related bug.

“I would consider any vulnerabilities in a Beacon Chain client, specification, or repository contract [which introduces the proof-of-stake mechanism to Ethereum] that could be exploited during or shortly after the merger to be related to the merger. The caveat here is that the Ethereum Foundation may have a different definition and it doesn’t seem to be explicitly defined on its bounty page,” Sherrets explains.

It’s also difficult to pinpoint what constitutes merger-related vulnerabilities, as they may include new attack vectors that have yet to be discovered, says blockchain security firm CertiK.

Sherrets adds that few researchers have the skills required to find vulnerabilities on such projects. “Some of the most impactful vulnerabilities I’ve seen in this space have required researchers with a deep understanding of cryptography, economics, computer science, and mathematics,” Sherrets says.

In the Web3 world, bug bounty programs often serve a different function than they do in the more traditional Web2 space, Sherrets adds. “For example, if a smart contract containing $100 million worth of cryptocurrency has a critical vulnerability, that means an attacker could steal or destroy all $100 million. But if a program offers a bug bounty of $1 million dollars, it can encourage the attacker to simply report the problem and collect the bounty legally and properly,” he says. fund is rarely involved.

This also defines one of the risks of Ethereum’s latest program. If the enlisted white hat hackers are unknown entities, it can result in bugs not being reported to the project and instead being exploited, says CertiK.

Have a know-your-customer mechanism in place to identify enlisted white hats to find bugs, have bug bounties as part of ongoing security assessment as well as smart contract audits and analysis tools blockchain is vital for projects that undergo continuous development, as new vulnerabilities can arise when new features are added, he says.


Comments are closed.