Ethereum Offers Up To $1M Bounty for Critical Bug ReportsReward for White Hats Valid till Sept. 8 for Merge-related Vulnerabilities
Ethereum is offering up to $1 million bounty to those who identify merge-related critical vulnerabilities on its blockchain. The four-fold increase in reward will be applicable between Wednesday and Sept. 8.
A "merge" is essentially a network upgrade. The process, expected to be completed by Sept. 20, will switch the Ethereum blockchain from proof-of-work to proof-of-stake consensus mechanism.
The consensus mechanism ensures that only genuine users are allowed to add new transactions to the blockchain. It can use two algorithms, called proof of work and proof of stake, to do this. The primary difference between the two is the method they choose to determine who can add transactions to the blockchain. The former requires miners - or those who voluntarily compete against each other to solve complex mathematical equations to 'mine' cryptocurrency - to validate the transactions. This process is slow, expensive and energy-consuming, but has been tested on large-scale blockchains such as Bitcoin. The latter uses validators - or computers that are chosen based on the number of tokens they hold - to verify the transactions. This method is considered more secure because the validators have a vested interest in the blockchain's security, since they've spent money to buy a significant amount of cryptocurrency.
Proof of stake allows more users to participate in the network consensus, since a validator node can be run on a normal laptop. Proof of work requires expensive digital mining equipment. "This decentralizes the network and is arguably good for security," Dan Sherrets, solutions architect at bug bounty platform HackerOne, tells Information Security Media Group.
But proof of stake is also more complex and requires multiple pieces of software to work together. "This isn’t necessarily bad for security in and of itself, but it does introduce additional opportunities for bugs in the software that can create issues across the network," he says.
Ethereum's announcement of the large bounties to white hat hackers finding critical bugs is not unprecedented. Axie Infinity launched a bug bounty program, offering bounties of up to $1 million after hackers drained more than $600 million from the company’s Ethereum sidechain Ronin. Aurora paid a $6 million bounty to a white hat for reporting a critical vulnerability that could have caused about $300 million worth of losses for the company.
Merge-related Bounty and Risks
Ethereum did not respond to ISMG's request for details on what defines a Merge-related bug.
"I would consider any vulnerabilities on a client, specification or Beacon Chain deposit contract [which introduces the proof-of-stake mechanism to Ethereum] that could be exploited during, or shortly after, the Merge to be Merge-related. The caveat here is that the Ethereum Foundation may have a different definition and that doesn’t appear to be explicitly defined on its bounty page," says Sherrets.
It's also tough to specify what constitutes for Merge-related vulnerabilities as they can include novel attack vectors that are yet to be discovered, blockchain security company CertiK says.
Sherrets adds that few researchers with the skills required to find vulnerabilities on these type of projects. "Some of the most impactful vulnerabilities I have seen in this space have required researchers with deep understanding of cryptography, economics, computer science and mathematics," Sherrets says.
In the Web3 world, bug bounty programs often serve a different function than they do in the more traditional Web2 space, Sherrets adds. "For example, if a smart contract that has $100 million of cryptocurrency locked in it has a critical vulnerability, then that means an attacker could steal or destroy all $100 million. But if a program offers a $1 million bug bounty, it may encourage the attacker to just report the issue and collect the bounty legally and cleanly," he says. In the Web2 world, this is not a regular conundrum, as direct access to funds is rarely involved.
This also defines one of the risks of Ethereum's latest program. If the white hat hackers enlisted are unknown entities, it can result in bugs not being reported to the project and instead being exploited, CertiK says.
Having a know your customer mechanism in place to identify white hats enlisted to find the bugs, having bug bounties as part of a continuous security assessment along with smart contract audits and blockchain analytics tools is vital for projects that undergo continued development, as new vulnerabilities can arise when new functionalities are added, it says.