A silent security scandal or a dying profession

The crypto community is struggling with issues related to bug bounty programs, a critical mechanism for detecting and fixing system vulnerabilities.

Usmann Khan, web3's security auditor, posted on Aug 17 "Remember Projects Might Just Not Pay, White Hat" with a screenshot of a post from Immunefi indicating that the project has been removed from its bug bounty issue for not paying a minimum of $500,000 in form of rewards.

In response, security researcher Mark Weiss shared the "Bug by Bug Wall of Shame" (BBWoS), a list documenting unpaid bounties allegedly owed to white hat hackers on web3. The BBWoS data appears to signal a significant lack of accountability and trust in the crypto ecosystem that cannot be ignored.

The BBWoS indicates that a bug bounty for the Arbitrum exploit in September 2022 generated a $2 million bounty. However, white hatred only received $780,000 for revealing an exploit that uncovered over $680 million.

In addition, the BBWoS states that a CRV borrowing/lending exploit on Aave since November 2022 resulted in a $1.5 million loss, with $40 million at risk, and no bounty was paid to the white hat that determined the attack path "for a few days before."

Finally, in April of this year, just $500 was paid to a white hat who reportedly identified a way for managers to steal "tokens from users using malicious exchange paths" worth up to $14 million after dHEDGE reported that the problem " well known."

The list was created by white hat hackers "tired of spending sleepless nights looking for protocol errors only to get a $500 payout when the economic damage is in the millions", with the creator stating:

"I created this leaderboard to help educate the security community about projects that don't take security seriously so we can avoid them and spend time on projects that do."

In his speech at the DeFi Security Summit in July, Weiss emphasized the critical role of auditors at various stages of protocol development. By integrating auditors and researchers within the company, he highlighted their potential for making insightful architectural decisions, developing efficient codebases, and adopting a security-centric approach to protocol development.

Therefore, it is a concern when platforms do not recognize and adequately reward the efforts of these security professionals when working on a contract basis.

Gogo and MiloTruck auditors emphasized that non-payment for identified vulnerabilities is a widespread problem. Their posts highlight the urgent need for these platforms to increase their accountability and credibility and ensure that white hat hackers are properly recognized.

Greater transparency is needed when dealing with vulnerabilities. High-profile cases listed on BBWoS, such as the compromised Arbitrum deposit contract, the Aave economic exploit, and the malicious swap paths in dHEDGE, amplify this need.

In response to Weiss' questions about trust, Super Protocol's Danny Key highlighted the potential of "decentralized confidential computing" to build trust in Web3 projects and mitigate vulnerabilities. Key refers to the ability to run DeFi in Trusted Execution Environments (TEEs), which is inherent in the super protocol.

The TEE is a secure area of the processor that ensures that the code and data loaded inside is protected to ensure confidentiality and integrity. However, one of the disadvantages of using TEE in DeFi decentralized applications is the use of proprietary architecture from centralized companies such as Intel, AMD, and ARM. There are efforts in the open source community to develop open standards and implementations for TEE, such as the Open-TEE and OP-TEE projects.

Key argues that if "Web3 projects run in confidential enclaves, there may not be a need to pay for vulnerabilities as security will be inherently enhanced."

While the fusion of blockchain and confidential computing could provide a formidable level of security for future projects, the transition to replacing bug bounties and TEE security auditors seems challenging, to say the least.

However, white hat hackers have additional problems, such as misreporting bugs from security firms on social media. The Peckshield post that exposed the bug in July simply said "Hey @JPEGd_69, you might want to take a look," referring to an Ethereum transaction.

Gogo criticized the post, stating "If this vulnerability was aboutresponsibly disclosed rather than exploited, PEGd users wouldn't lose $11 million, there wouldn't be reputational damage, the guy would get a hefty bug bounty instead of being controlled by the MEV bot."

Gogo shared their bug bounty experience with Immunefi, a company they described as "beyond fantasy" where the payout required a mediation process that eventually resulted in a satisfying $5K payout for a critical bug.

These insights from the web3 security community highlight the critical role of auditors and the importance of effective bug bounty programs for the security, trust and growth of the crypto ecosystem.