Skyrocketing cryptocurrency bug bounties expected to lure top hacking talent

Bounties as high as $10 million dollars make hunting cryptocurrency vulnerabilities lucrative for those with the proper skillsets. It might eventually drive up fees for traditional bounties, too.

Money flows through a tunnel of binary code as a target hovers over a code bug.
Irwan_Nartadi170 / A. / ImageDepotPro / Getty Images

As high-stakes cryptocurrency and blockchain projects proliferate and soar in value, it’s no surprise that malicious actors were enticed to steal $14 billion in cryptocurrency during 2021 alone. The frantic pace of cryptocurrency thefts is continuing into 2022.

In January, thieves stole $30 million in currency from Crypto.com and $80 million in cryptocurrency from Qubit Finance. February started with the second-largest decentralize finance (DeFi) theft to date when a hacker exploited a token exchange bridge in Wormhole to steal $320 million worth of Ethereum.

The largest cryptocurrency hack so far took place last August when blockchain interoperability project Poly Network suffered a hack that resulted in a loss of over $600 million. In an unusual move, Poly unsuccessfully attempted to publicly negotiate with the hacker a post-theft “bug bounty” of $500,000 in exchange for returning the $600 million, a bounty worth six times more than that typically offered in traditional cryptocurrency bug bounty programs.

$2 million paydays set the pace

With so much money at stake, at least $3 trillion by some calculations in late-2021, it’s also not surprising that bona fide bug bounties in the cryptocurrency sector are skyrocketing. A week ago, noted white-hat hacker Jay Freeman announced that he earned a $2,000,042 million bug bounty from Ethereum layer-2 scaling project Optimism for discovering a bug that would have allowed an attacker to print an arbitrary quantity of tokens.

Freeman is not alone in generating a $2 million payday from a cryptocurrency bounty. Gerhard Wagner submitted a critical vulnerability last October that affected the Polygon Plasma Bridge, which put $850 million at risk, earning a $2 million bounty in the process. In December, another critical vulnerability in Polygon, which put $18 billion at risk, generated a $2.2 million bounty for white-hat Leon Spacewalker. Both of these bounties were paid via Web3 bug bounty platform Immunefi.

On the same day Freeman’s bounty was made public, Ethereum-based protocol MakerDAO announced a maximum $10 millon reward through Immunefi for white hat hackers who point out legitimate security threats in its smart contracts.

What is a bug worth?

With cryptocurrency bounties reaching seven and eight figures, the pressure for traditional bug bounty programs to up the ante will no doubt mount, at least in the long run, as top hackers retrofit their skills to go where the money is. “Yes, there is financial competition for talent and data, and our category will have to respond,” Casey Ellis, CTO, and Founder of Bugcrowd, tells CSO. “Cryptocurrency companies may be the first ones to succinctly answer the question, ‘What is a bug worth?’”

Ellis adds that “in traditional markets, iOS exploits can sell for more than $2 million, but it's usually to buyers who are far more difficult to deal with, and who intend to keep those vulnerabilities alive for future use. To see a known and reputable jail-breaker pivot toward the relative ease of earnings afforded by the cryptocurrency boom gives you an idea of where the vulnerability data market is going.”

“Bounty size is going up in Web2 stuff regardless of what happens in crypto,” Mitchell Amador, Founder and CEO of Immunefi, tells CSO. “Everybody and their dog are digitizing their infrastructure, their workflows, their business logic, and their operations. That's an incredible increase in the attack service over a relatively short amount of time.”

The meteoric rise in cryptocurrency bug bounties won’t eliminate the need for traditional bug bounty hackers, Amador says. “It's not going to hollow out the existing bug base. You've got these legions of hackers who have built very profitable, specific skills going after specific vulnerabilities. They're just going to keep plying their trade.”

Best hackers will migrate to crypto space

What might happen is that the best hackers will migrate to the crypto space. “People want to crack the hardest problems in the hacker community,” Amador says. “You get lots of reputation, lots of clout because you can do something that nobody else has been able to do. You can prove that you're the best.”

The challenge of cracking the most complex problems with the enormous payoffs could prove irresistible to top talent. “We've combined some of the hardest technical challenges in crypto, along with, by far, the largest payouts. It’s going to dramatically accelerate the rate at which this top tier, this top 10% of the hacking community, migrates to crypto. You have to be an exceptionally talented person and have years of training and experience in order to tackle these problems.”

Upward pressure ‘very, very likely’ in the long term

Dane Sherrets, solutions architect at HackerOne, who also does bug bounties on the side, tells CSO that in the short term, “I don't expect to see any real up upward pressure [as a result of the rising crypto bug bounties] but in the long term, very, very likely.”

Sherrets thinks it’s important to understand why these bug bounties are so high for smart contract projects. “There is a real need to have some kind of a payout that makes sense. With MakerDAO having a $10 million bounty, you have billions locked up, so that’s a drop in the bucket. It becomes like a marketing initiative. The bounties are so high due to the need to actually have a strong security posture and project the strong security posture to get more users involved. It just makes sense as it relates to how much money is sitting in these smart contracts.”

Traditional hackers need to retool for the crypto market

Right now, according to Sherrets, the hackers that typically participate in traditional bug bounty programs lack the necessary skills to participate in cryptocurrency bug bounty programs. These white-hat hackers will have to retool their standard IT skillsets and learn more about cryptocurrency. “I could be one of the top web hackers in the world, but if I'm not familiar with how an automated market maker [a part of decentralized exchanges introduced to remove any intermediaries in the trading of cryptocurrency assets] works, if I don't understand that as a hacker, I'm not going to be able to figure out ways to exploit that,” Sherrets says.

Bounties could reach hundreds of millions of dollars

For these reasons, bug bounty hunters in the traditional space will take at least two years to come up to speed where they can earn serious money in the crypto world. “There's more of a learning curve than hackers just saying, ‘Okay, I want to hack on Web 3.0 today,’” Sherrets says.

Long-term, “if you accept the premise that this is where the future is going, then you'll see a lot more people just diving straight into this,” Sherrets says. That’s when traditional bug bounty programs will really start to feel the pressure to increase their payouts to lure talented hackers.

Moreover, long-term legacy internet companies will be incorporating more smart contracts and blockchain technologies into their offerings, which will spur even more hackers to jump into the Web3 world. Even today, TikTok, Twitter, GameStop, and other leading tech-based companies are incorporating Web3 features such as non-fungible tokens (NFTs) into their services.

“The size of this market is basically untapped,” Amador says. “The thing to consider is that MakerDAO has $15 billion to $20 billion in its contracts today, a truly vast, vast amount of capital, more than many countries have circulating in their banks. Consequently, there is an incentive to protect that is extremely high. There's no reason to believe that bug bounties won't get into the hundreds of millions of dollars.”

Related:

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.