The crypto space is no stranger to monumental hacking incidents, with the digital asset industry losing more than $320 million to exploits in the first quarter of this year alone. However, recent attacks indicate that some hackers are ready to return their loot in exchange for monetary benefits described as a bug bounty program.

Hacking And Bug Bounty Programs

Three high-profile hacking incidents have taken place in April alone, with the attackers returning the stolen digital assets. The attacks had huge ramifications on the decentralized finance (DeFi) industry.

The first occurred on April 4 when the Euler Finance team recovered $176.4 million from the hacker after offering the attacker 10% of the stolen funds as bounty payment. In a related development, a DeFi lending protocol, Sentiment recovered nearly a million dollars in stolen crypto assets after negotiating with the exploiter.

Recently, SafeMoon suffered an exploit where the attacker stole $8.9 million before agreeing to return 80% of the funds. Observers believe firms would have avoided the recent hacking incidents by implementing a highly rewarding bounty program.

They further noted that the attacks occurred because the bounty offers weren’t sufficient based on the perception of the ethical hacker. According to Steven Walbroehl, co-founder of Halborn, a cybersecurity company, it is common to see firms refusing to pay out bug bounties to hackers.

Walbroehl added that some platforms also needed to take the vulnerability report seriously. Walbroehl, a former bounty hunter, explained that some bounty programs often left him feeling short-changed due to the low reward for detecting a bug.

According to him, most companies are unwilling to pay white hat hackers for reporting critical bugs to them, claiming their team has already spotted the bugs themselves. According to him, there are many companies in this category.

A Call For Change

A senior product director at the blockchain security platform, Certik, Simon Zhu, noted that companies need to create enticing bounty rewards that can be profitable for developers. Zhu explained that while funds recovery is a win for DeFi protocols, it should not be the only way because hackers still hold customer funds.

He believes that white hat bug bounty programs are the most effective here. He noted that platforms with no bounty programs to ensure the return of funds may have to pay a much higher price to retrieve their customers’ funds.

According to him, zero bounty programs or less enticing bounty programs are less profitable and safe for developers to disclose vulnerabilities on any platform. Furthermore, Zhu argued that projects need to change their line of thought regarding their reward package for vulnerability disclosure.

The former bug hunter also revealed that the cybersecurity expert in some development teams tends to ignore minor bugs to avoid incurring the costs of fixing the glitch. However, he explained that a minor bug could become major overnight in the fast-evolving Web3 ecosystem.

Hence, Zhu suggested that it is time for companies to stop risking user deposits because they don’t want to incur the expense of fixing seemingly small glitches. He predicted that hacking incidents would continue to rise if companies didn’t change their attitudes about bug bounty rewards.

George Ward

By George Ward

George Ward is a crypto journalist and market analyst at Herald Sheets, known for his engaging articles on the latest digital currency trends. With a background in finance and journalism, he presents complex topics accessibly. George holds a degree in Business and Finance from the University of Cambridge.