...By Larry John for TDPel Media.
Hacks in the crypto industry are not new, with the first quarter of 2023 recording over $320 million in digital asset losses.
Nevertheless, some recent incidents have shown that some hackers are willing to return the stolen assets in exchange for a prize.
This practice is similar to a bug bounty program, except that it has a criminal twist.
Recent Incidents of Funds Returned
In April 2023, at least three incidents of hackers returning exploited funds were observed in the decentralized finance (DeFi) space.
The Euler Finance team was able to recover $176.4 million after offering the hacker 10% of the stolen funds.
Similarly, the hacker who took almost a million dollars from the lending protocol Sentiment agreed to return the funds.
The attacker who took $8.9 million from the DeFi protocol SafeMoon also agreed to return 80% of the funds.
Low Bug Bounty Rewards May Result in Fewer White Hat Hackers
While offering bug bounty programs could prevent hacks, it may not be enough from the perspective of ethical hackers or white hats.
Steven Walbroehl, co-founder of security firm Halborn, explained that many companies refuse to pay out bug bounties or take reported vulnerabilities seriously.
Walbroehl pointed out that low rewards may be a disincentive for bounty hunters to report bugs.
Some developers may offer only $5,000 as a reward for a bug that could potentially lead to millions of dollars in stolen funds.
Companies May Downplay Reported Vulnerabilities
Walbroehl also explained that companies tend to downplay reported vulnerabilities or refuse to pay out rewards by claiming that their team discovered the bug independently.
This response can be frustrating for ethical hackers who may feel cheated out of their time.
White Hat Bug Bounty Programs Are Preferable
Simon Zhu, senior product director at blockchain security firm CertiK, stated that platforms should provide safe and profitable bug bounty programs for developers.
While the recent return of stolen funds is a win, Zhu emphasized that attackers are essentially holding the funds hostage.
White hat bug bounty programs are preferable, as platforms that do not offer such programs could pay a much higher price.
Developers Must Take All Bugs Seriously
Zhu urged developers to change their thinking about vulnerabilities.
Some developer teams tend to ignore minor bugs when fixing them can be costly or make the smart contract more complex to modify.
However, in Web3, a minor vulnerability can become a major one overnight.
Zhu emphasized that playing chicken with user deposits is not a responsible long-term approach to security.
Commentary
The recent incidents of hackers returning exploited funds are unusual in the crypto industry, where stolen funds are rarely recovered.
This practice is not a new phenomenon, but it is a deviation from the norm where hackers usually disappear with the stolen funds.
While the return of stolen funds is a welcome development, it may not be a sustainable solution.
Companies must provide adequate bug bounty programs to incentivize ethical hackers to report bugs and prevent hackers from exploiting vulnerabilities.
This approach can help prevent hacks in the first place, instead of relying on the goodwill of hackers to return stolen funds.
